Not a bug Reports Bug

Crush

Crush

Member
When a user reports content that is in a hidden node only accessible to users in Usergroup A, users in Usergroup B will be able to see the thread content. Users in Usergroup A are Administrators, users in Usergroup B are Moderators. In this example, both should have access to the Reports Queue.

This seems like a very uncommon use case, but it seems since there are no permissions checks hidden information could be exposed this way.
 
Can you verify this with accounts matching your description with add-ons disabled? The report center already handles permission checks and a user will only see what he has permission to see.
 
I fixed this one. It was because the Permissions were not all set to Revoke in the Node Everything but View Node was set to Inherit from the Category. Users in the group could not view the node, but in certain cases (like the Reports) could see the thread content.
 

Similar threads

K
  • Suggestion Suggestion
Flag Loggedin-only permissions
Replies
0
Views
304
Kirby
K
Ludachris
Soft deleting threads in forums by users who get removed from a usergroup?
Replies
7
Views
577
James
J
A
Not a bug User uploaded avatar with usergroup options disabling it
Replies
3
Views
336
Jeremy P
Jeremy P
Ladegro
  • Suggestion Suggestion
Default filter: Hide or exclude posts with certain prefix
Replies
0
Views
244
Ladegro
Ladegro
Ozzy47
[OzzModz] Content Reported Notice [Paid]
Replies
5
Views
809
Ozzy47
Ozzy47
Top Bottom