Fixed Search user group permission not honored

[AndyB]

Affected version

XF 2.1.0

If I set this to No for the Unregistered / unconfirmed user group:




it hides the Search box correctly. However I can still do a search from the address bar in my browser.

Example:

https://xenforo.com/community/search/1/?q=test

Expected behavior would be to return a no permission error.

 

[nocte]

However I can still do a search from the address bar in my browser.

no. If you type in a url, that actually performs a search (e.g. https://xenforo.com/community/search/search?keywords=test ), then the permissions are checked as they should.

But it is possible to access a search result (i.e. a search that a user with appropriate permissions has performed; like the link you postet - with the result ID 1). Don't know if that is a desired behavior.

 

[tonmo]

no. If you type in a url, that actually performs a search (e.g. https://xenforo.com/community/search/search?keywords=test ), then the permissions are checked as they should.

If you try it exactly as Andy described, you will see that it is indeed an issue. Anyone can craft the URL as he described. Your example is different.

 

[nocte]

If you try it exactly as Andy described, you will see that it is indeed an issue. Anyone can craft the URL as he described. Your example is different.

read my post again carefully. The link i have posted performs a search - and respects permissions. The link Andy has posted is just a (cached) search result. After you perform a search you get redirected to such a link. And these link are really accessible for everyone. As I said: I don't know if that's a desired XF behavior.

 

[tonmo]

Seems we're talking past each other, but short story is, this is certainly not desired behavior.

1) open an Incognito browser session
2) go to a forum where unregistered/unconfirmed users are not permitted to use the Search function.
3) go to a url like: https://[domain].com/community/search/[choose-a-random-number]/?q=[choose-a-search-term]
4) observe that it works.

Since unregistered/unconfirmed users are not permitted to use the Search feature, it shouldn't be able to be obviated by futzing with the URL (cached or not). I've noticed some bots heavily crawling my site in this manner.

 

[nocte]

o.k. sorry. my fault. I have just tested with existing search result IDs.

So, to be precise:

• User with search permissions can perform a search.
• User without search permissions can access a search result if they know the search result ID. If the search result ID exists, they cannot change the search term (i.e. no new search is performed).
• If the search result ID does not exist, a new search is performed and in that case search permissions are not followed -> this seems to be the bug.

 

[tonmo]

• If the search result ID does not exist, a new search is performed and in that case search permissions are not followed -> this seems to be the bug.

agree, there's the bug, at minimum. I'm not sure exactly how it is working, but I know I tested on my site and key-smashed a few digits for the result ID, and used a fairly generic term (though not entirely uncommon for my niche), and got the results output. Should get the "oops" and login bit.

I suppose I don't care too much if the result ID and the associated term is somehow learned and therefore can be accessed, although in principle shouldn't it also thwart any results? This is definitely much less of a concern than the former one though, all things relative.

 

[tonmo]

...in the meantime, I've added the following to robots.txt:
Disallow: /search/

 

[XF Bug Bot]

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.1).

Change log:

Ensure a permission check happens at the point of running a search.

Any changes made as a result of this issue being resolved may not be rolled out here until later.