Tags from not viewable topics can be seen by visitors & epic bug
-
hi !
I've seen a beautiful bug on my forum (ABM ) :
1- you make a topic with a tag [restricted] in an area restricted to a group of users
2- you connect as an user from this group and click on the tag [restricted] -> you see the topic
3- you connect as an user lambda (with no rights), you can see the tag [restricted] even if it's not in any viewable topic. I you click on it, no topic will be seen.
4- if you connect again as a user from the restricted group, the tag will have disapeared, and if you click on it on the topic, no results will be seen
-
Can sort of confirm. I guess the issue here would be tags visible for categories that the user doesn't have permission to view.
Second issue is once a user without permission has tried to view topics with this tag, it's no longer available to view by those even with the permission.
-
Fixed as of https://github.com/NodeBB/NodeBB/commit/5ec289eee2c44f4dd49e7b2884d27dd1acb20d5c.
The problem was I was deleting tags that no longer had topics but was doing it in the wrong place. If a user couldn't see any topics the code was deleting the tag. I moved it up to actually check the tids and not the topics the user can see.
