Jump to content

Who Read This Thread / Track Member Topic Reading Behavior


Miss_B
 Share

Recommended Posts

  • 1 month later...

Security Issue!

I have 2 groups that are part of my staff, the Moderators and the Administrators. Both these groups have permission to see who read topics and to see the corresponding tab on a users profile. However, the list of viewed topics on an persons profile isn't filtered by who can view a certain forum.

For example, I have a private forum for Administrators that Moderators cannot see, read, or even see the topic listing. Most of them don't even know it exists. However, when a moderator looks at the "Recently Viewed" tab on an Administrators profile, they can see the titles of topics recently visited that are in the Admin-ONLY forum. Now, of course, they don't have permission to read the topic, but they now know the private admin only forum exists and can see the topic title. This could be particularly embarrassing if we had a thread titled "Moderator Ed and Moderator Suzy are crazy and should be fired". 

The normal function of Invision software is to only display links to topics that a person has permission to read. When you visit a profile and see a list of someone's activity, what they reacted to or what they replied to, you are only seeing reactions and replies to what you yourself can read. Your application does not filter in the same way that the Invision Power Suite does by default. This is a major problem, imo.

My fix for now is to exempt Administrators from having their viewed topics logged. But if a moderator notices that admins don't have anything listed in their Recently Viewed tab on their profile page, it might look like we're hiding something and sow some discord among the staff.

 

I hope I explained this clear enough. When a group who has permission to see the tab on profiles looks at that tab, they should only see the topic titles of topics from forums they can access, just like the default behaviour of Invision software.

 

 

Link to comment
Share on other sites

Posted (edited)
6 hours ago, Robert Angle said:

Security Issue!

I have 2 groups that are part of my staff, the Moderators and the Administrators. Both these groups have permission to see who read topics and to see the corresponding tab on a users profile. However, the list of viewed topics on an persons profile isn't filtered by who can view a certain forum.

For example, I have a private forum for Administrators that Moderators cannot see, read, or even see the topic listing. Most of them don't even know it exists. However, when a moderator looks at the "Recently Viewed" tab on an Administrators profile, they can see the titles of topics recently visited that are in the Admin-ONLY forum. Now, of course, they don't have permission to read the topic, but they now know the private admin only forum exists and can see the topic title. This could be particularly embarrassing if we had a thread titled "Moderator Ed and Moderator Suzy are crazy and should be fired". 

The normal function of Invision software is to only display links to topics that a person has permission to read. When you visit a profile and see a list of someone's activity, what they reacted to or what they replied to, you are only seeing reactions and replies to what you yourself can read. Your application does not filter in the same way that the Invision Power Suite does by default. This is a major problem, imo.

My fix for now is to exempt Administrators from having their viewed topics logged. But if a moderator notices that admins don't have anything listed in their Recently Viewed tab on their profile page, it might look like we're hiding something and sow some discord among the staff.

 

I hope I explained this clear enough. When a group who has permission to see the tab on profiles looks at that tab, they should only see the topic titles of topics from forums they can access, just like the default behaviour of Invision software.

 

 

Yes, you explained it very clear. I was able to reporduce it as well. I have fixed said issue and I have uploaded a new version that contains the fix. I sent it to you in private as well so you can upgrade it a.s.a.p.

Thank you for reporting it. 

Kind regards

Edited by Miss_B
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...