1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Reports Bug

Discussion in 'Resolved Bug Reports' started by Crush, Jan 3, 2015.

  1. Crush

    Crush Member

    When a user reports content that is in a hidden node only accessible to users in Usergroup A, users in Usergroup B will be able to see the thread content. Users in Usergroup A are Administrators, users in Usergroup B are Moderators. In this example, both should have access to the Reports Queue.

    This seems like a very uncommon use case, but it seems since there are no permissions checks hidden information could be exposed this way.
     
  2. Jeremy

    Jeremy XenForo Moderator Staff Member

    Can you verify this with accounts matching your description with add-ons disabled? The report center already handles permission checks and a user will only see what he has permission to see.
     
  3. Crush

    Crush Member

    I fixed this one. It was because the Permissions were not all set to Revoke in the Node Everything but View Node was set to Inherit from the Category. Users in the group could not view the node, but in certain cases (like the Reports) could see the thread content.
     

Share This Page