Tags from not viewable topics can be seen by visitors & epic bug



  • hi !

    I've seen a beautiful bug on my forum (ABM ) :

    1- you make a topic with a tag [restricted] in an area restricted to a group of users

    2- you connect as an user from this group and click on the tag [restricted] -> you see the topic

    3- you connect as an user lambda (with no rights), you can see the tag [restricted] even if it's not in any viewable topic. I you click on it, no topic will be seen.

    4- if you connect again as a user from the restricted group, the tag will have disapeared, and if you click on it on the topic, no results will be seen



  • Can sort of confirm. I guess the issue here would be tags visible for categories that the user doesn't have permission to view.

    Second issue is once a user without permission has tried to view topics with this tag, it's no longer available to view by those even with the permission.


  • Staff Admin

    Fixed as of https://github.com/NodeBB/NodeBB/commit/5ec289eee2c44f4dd49e7b2884d27dd1acb20d5c.

    The problem was I was deleting tags that no longer had topics but was doing it in the wrong place. If a user couldn't see any topics the code was deleting the tag. I moved it up to actually check the tids and not the topics the user can see.


Log in to reply
 

Suggested Topics

| |