Jump to content

Who Read This Thread / Track Member Topic Reading Behavior


Miss_B

Recommended Posts

  • 1 month later...
Posted

Security Issue!

I have 2 groups that are part of my staff, the Moderators and the Administrators. Both these groups have permission to see who read topics and to see the corresponding tab on a users profile. However, the list of viewed topics on an persons profile isn't filtered by who can view a certain forum.

For example, I have a private forum for Administrators that Moderators cannot see, read, or even see the topic listing. Most of them don't even know it exists. However, when a moderator looks at the "Recently Viewed" tab on an Administrators profile, they can see the titles of topics recently visited that are in the Admin-ONLY forum. Now, of course, they don't have permission to read the topic, but they now know the private admin only forum exists and can see the topic title. This could be particularly embarrassing if we had a thread titled "Moderator Ed and Moderator Suzy are crazy and should be fired". 

The normal function of Invision software is to only display links to topics that a person has permission to read. When you visit a profile and see a list of someone's activity, what they reacted to or what they replied to, you are only seeing reactions and replies to what you yourself can read. Your application does not filter in the same way that the Invision Power Suite does by default. This is a major problem, imo.

My fix for now is to exempt Administrators from having their viewed topics logged. But if a moderator notices that admins don't have anything listed in their Recently Viewed tab on their profile page, it might look like we're hiding something and sow some discord among the staff.

 

I hope I explained this clear enough. When a group who has permission to see the tab on profiles looks at that tab, they should only see the topic titles of topics from forums they can access, just like the default behaviour of Invision software.

 

 

Posted (edited)
6 hours ago, Robert Angle said:

Security Issue!

I have 2 groups that are part of my staff, the Moderators and the Administrators. Both these groups have permission to see who read topics and to see the corresponding tab on a users profile. However, the list of viewed topics on an persons profile isn't filtered by who can view a certain forum.

For example, I have a private forum for Administrators that Moderators cannot see, read, or even see the topic listing. Most of them don't even know it exists. However, when a moderator looks at the "Recently Viewed" tab on an Administrators profile, they can see the titles of topics recently visited that are in the Admin-ONLY forum. Now, of course, they don't have permission to read the topic, but they now know the private admin only forum exists and can see the topic title. This could be particularly embarrassing if we had a thread titled "Moderator Ed and Moderator Suzy are crazy and should be fired". 

The normal function of Invision software is to only display links to topics that a person has permission to read. When you visit a profile and see a list of someone's activity, what they reacted to or what they replied to, you are only seeing reactions and replies to what you yourself can read. Your application does not filter in the same way that the Invision Power Suite does by default. This is a major problem, imo.

My fix for now is to exempt Administrators from having their viewed topics logged. But if a moderator notices that admins don't have anything listed in their Recently Viewed tab on their profile page, it might look like we're hiding something and sow some discord among the staff.

 

I hope I explained this clear enough. When a group who has permission to see the tab on profiles looks at that tab, they should only see the topic titles of topics from forums they can access, just like the default behaviour of Invision software.

 

 

Yes, you explained it very clear. I was able to reporduce it as well. I have fixed said issue and I have uploaded a new version that contains the fix. I sent it to you in private as well so you can upgrade it a.s.a.p.

Thank you for reporting it. 

Kind regards

Edited by Miss_B
Posted

Thank you. The patch seems to be working. It replaces the topic titles/links they don't have permission to view with the words "content deleted". It would be nicer if it just skipped it altogether, but this is definitely better than it was.

  • 1 year later...
Posted
On 7/21/2022 at 8:52 AM, Robert Angle said:

I just wanted to say that the current version still works fine with 4.7

I can't install it with 4.7.

Posted
On 7/23/2022 at 6:15 AM, Adrienne said:

I can't install it with 4.7.

Hello. I have edited the app to update the version compatiility field to include the 4.7 version as well. Currently it is waiting approval. Once it gets approved you can download it from your Acp.

  • 3 months later...
Posted
10 hours ago, iiioroh said:

Invision Community

4.7.4 Beta 2

 Error when logging in as user

Could contain: Document, Text, Page, Letter

I 've adjusted the code in the widget to suppress the OutOfRangeException error and uploaded the new package. Thank you for bringing this to my attention. 

 

  • 4 weeks later...
Posted
17 minutes ago, Christopher Iosca said:

 

I receive this error when attempting to look at users.   I am in the only group approved to see this.

Could contain: Text, Page

 

It looks like the permissions are not set. Can you double check them? 

Posted
36 minutes ago, Christopher Iosca said:

Still need help with this.  Permissions are ok per the images supplied.  What am I missing?

I can't reproduce this. Can you send me the link to your Admin Panel with an account log in info and I will look into this for you. 

  • 8 months later...
  • 4 weeks later...
Posted

Thank you for being a client!  The Invision Community Marketplace is closing October 30 2023, so I am moving all of my files over to my personal site https://www.yourforumservices.com

Bookmark https://www.yourforumservices.com and the new Marketplace Directory https://www.invisioneer.org/.  

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...