But it is possible to access a search result (i.e. a search that a user with appropriate permissions has performed; like the link you postet - with the result ID 1). Don't know if that is a desired behavior.
read my post again carefully. The link i have posted performs a search - and respects permissions. The link Andy has posted is just a (cached) search result. After you perform a search you get redirected to such a link. And these link are really accessible for everyone. As I said: I don't know if that's a desired XF behavior.
Seems we're talking past each other, but short story is, this is certainly not desired behavior.
1) open an Incognito browser session
2) go to a forum where unregistered/unconfirmed users are not permitted to use the Search function.
3) go to a url like: https://[domain].com/community/search/[choose-a-random-number]/?q=[choose-a-search-term]
4) observe that it works.
Since unregistered/unconfirmed users are not permitted to use the Search feature, it shouldn't be able to be obviated by futzing with the URL (cached or not). I've noticed some bots heavily crawling my site in this manner.
agree, there's the bug, at minimum. I'm not sure exactly how it is working, but I know I tested on my site and key-smashed a few digits for the result ID, and used a fairly generic term (though not entirely uncommon for my niche), and got the results output. Should get the "oops" and login bit.
I suppose I don't care too much if the result ID and the associated term is somehow learned and therefore can be accessed, although in principle shouldn't it also thwart any results? This is definitely much less of a concern than the former one though, all things relative.