Tor

[Bob_R]

Has anyone ever heard of Tor?

Well guess what. Anyone that has Tor and is a member of your site (maybe they have to already be a Mod) instantly becomes a Mod of every forum on your board!

If the staff here don't know about this I suggest you look into it immediately.

And, if I'm somehow wrong or mistaken please guide me in the right direction.

Because one of my members has just proved it to me. He can mod every single forum but the Staff Only forum.

Does anyone have a logical explanation for this?

 

[Bob_R]

Confirmed. As long as you are already a Mod you become a M0d of every forum.

Major security vulnerability.

 

[Itworx4me]

Has anyone ever heard of Tor?

Well guess what. Anyone that has Tor and is a member of your site (maybe they have to already be a Mod) instantly becomes a Mod of every forum on your board!

If the staff here don't know about this I suggest you look into it immediately.

And, if I'm somehow wrong or mistaken please guide me in the right direction.

Because one of my members has just proved it to me. He can mod every single forum but the Staff Only forum.

Does anyone have a logical explanation for this?

Confirmed. As long as you are already a Mod you become a M0d of every forum.

Major security vulnerability.

I would say you have a Permissions Issue. I would first check there.....

 

[Jeremy]

Besides permissions, can you replicate this yourself on a test account?

How did you add the user to the moderator user group?

How do you set up your moderator permissions?

 

[Bob_R]

I would say you have a Permissions Issue. I would first check there.....

Huh?

The guy's simply a mod of a single forum. Which permissions exactly would I need to check.

 

[Bob_R]

Besides permissions, can you replicate this yourself on a test account?

How did you add the user to the moderator user group?

How do you set up your moderator permissions?

No, can't replicate. Do not wish to install TOR.

Do not remember how added to mod user group was last June

Do not remember how set up moderator permissions was last June.

 

[Bob_R]

Besides permissions, can you replicate this yourself on a test account?

Used Test Permissions from my AdminCP and he is indeed a Mod of every forum!!

 

[Jeremy]

Use Analyze Permissions -- test permissions applies their permissions on top of your current permissions.

 

[Bob_R]

Use Analyze Permissions -- test permissions applies their permissions on top of your current permissions.

His permissions are fine!

What is the nextstep to fix this Xenforo security problem????!!!!

 

[Mike]

What did analyze permissions show exactly? If test permissions gave you those permissions, then analyze permissions would show it. Tor is entirely unrelated.

It's almost certainly an issue in your permission configuration, such as you applying moderator permissions to the moderating group (thereby giving them all moderator permissions everywhere it isn't explicitly removed).

 

[Bob_R]

How would I change permissions for groups? aka.... Let's say my forum was just starting today with no Staff.

 

[Bob_R]

What did analyze permissions show exactly? If test permissions gave you those permissions, then analyze permissions would show it. Tor is entirely unrelated.

It's almost certainly an issue in your permission configuration, such as you applying moderator permissions to the moderating group (thereby giving them all moderator permissions everywhere it isn't explicitly removed).

Here's a little snapshot from his Analyze permissions.

 

[Bob_R]

Some more info.

 

[Paul B]

How would I change permissions for groups?

For global permissions, click on the user group, change the permissions.

For individual nodes, click on the Permissions link for the node, click on the user group, change the permissions.

 

[Mike]

That analyze permission screenshot shows what I expected: you applied permissions via the moderating group. This means that the user receives those permissions everywhere unless explicitly revoked. If you are dealing with forum-specific moderators, you shouldn't specify any "default" moderating group permissions and apply the permissions you want via the "Moderators" system.

 

[Bob_R]

That analyze permission screenshot shows what I expected: you applied permissions via the moderating group. This means that the user receives those permissions everywhere unless explicitly revoked. If you are dealing with forum-specific moderators, you shouldn't specify any "default" moderating group permissions and apply the permissions you want via the "Moderators" system.

I am dealing with forum specific moderators. Where is the "Moderators" system?

 

[Mike]

Users > Moderators. You showed screenshots from it.

 

[Lawrence]

I am dealing with forum specific moderators. Where is the "Moderators" system?

AdminCP -> Users -> Moderators -> Create New Moderator
Type in the user name, and then select Forum moderator, and select the forum from the drop down. This will take you to a new check-box permission system for that forum,

 

[Bob_R]

@Brogan @Mike @Lawrence So what do you propose I do? De-mod everyone and just start from scratch? That seems to be the easiest and logical route but please correct me if I am mistaken.

 

[Paul B]

It's up to you how you approach it but really all you need to do is ensure the user, user group and node permissions are all set up correctly.

This may help: https://xenforo.com/community/resources/implementing-permissions-across-multiple-user-groups.358/

My Moderating user group has the lowest set of perms which all moderators have - spam cleaner, view IPs, etc.
Then I apply individual node perms for managing threads, etc.