Icy Phoenix

In topic_view_users.php users should not have access to view topics' views of unauthorized topics (unauthorized forums).

But actually users, also without forum (so topic) permissions, can see every topics's views.

I think it's a bug. If I protect a forum, I want to prevent any action on it, not only the view_forum or view_topic.

Can MG make a patch for it?

Thanks! :wink:

Another related "bug", if we want to consider this a bug:
If another user is viewing che topic_view_users.php page, and I see his action on viewonline.php, the link of that action is only the url to the "topic_view_users.php" without any topic_id.
So, it should be "topic_view_users.php?t=XXXX".
Where XXXX is the related topic ID.

But the user will just know the users who have seen *a* topic, but will never know which is this topic that those users have seen :roll:

I can't follow the both of you... :mrviolet:

Yes, I know it. But I think it should not be possible in a correct and accurate permissions policy.

ganesh wrote: [View Post]

I can't follow the both of you... :mrviolet:

Try to go to these links:
ID1=ID of a public topic
ID2=ID of a topic in a protected forum that you cannot view because you have not any permissions

/topic_view_users.php?t=ID1
/topic_view_users.php?t=ID2

You can see the page for both the link!
For the first link is correct.
For the second link, in my opinion, should be considered that users have not access to that forum (so that topic). It's wrong to let them to see any kind of information about protected topic.

Eradicator wrote: [View Post]

Yes, I know it. But I think it should not be possible in a correct and accurate permissions policy.

Yes, that's true.

ganesh wrote: [View Post]

I can't follow the both of you... :mrviolet:

What don't you understand exactly?

I see... but...
If only admin or moderators are allowed to post there... I don't know why a user has to guess the id for a protected topic to discover that the topic itself has been viewed by mods and admins...
Guests can't see anything...
I can't follow...

:?

A kind of SQL injection.
It's not dangerous, but now it's allowed.
It should be shown a standard page "You have not access to this page".

There is another thing related both on topic_view_users.php and viewonline.php.
If a user is in topic_view_users.php and I am viewing viewonline.php, what users are doing, I see the row:
USER XXXXX Viewing Topic's views.
The phrase "Viewing Topic's view" is linked to the page topic_view_users.php without the value t sent by GET.
So, if I click on that link (without the t value) I receive an SQL error)

I've fixed this...

Great! :wink: