• Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
v3.5.1 Latest
Buy Hosting

Cannot select group badge for groups that are hidden... other questions about gated categories and group based security holes

Scheduled Pinned Locked Moved Technical Support
3 Posts 2 Posters 1.4k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    S Offline
    samuelp
    wrote on last edited by samuelp
    #1

    In my forum at forums.j-novel.club, I have 2 special groups for subscribers and premium subscribers of my service.

    The membership of these groups is entirely controlled by the write-api plugin from my backend service, and I don't want the list of who is in each group to be public...

    So currently the settings for these groups are:
    Show Badge: Checked
    Private: Unchecked (because I need them added immediately by the write API)
    Disable Join Requests: Checked
    Hidden: Checked

    But with these settings, the group doesn't appear in my user profile settings to select the badge. It does however if I uncheck "Hidden". However in that case people can go to the Group page and see everyone else in that group which is not a behavior I would like to be able to have.

    Could I like, disable the group pages completely, so that even going to /groups directly doesn't work?

    Second, if I am not a Premium Member, but I go to the profile page of someone who is a Premium Member, I can see a timeline of all their posts, including the ones they made to Premium Only categories... This is a security hole and people could use this to read content that should be gated off. Could I disable the "Posts made by" list?

    pichaliteP 1 Reply Last reply
    0
  • pichaliteP Offline
    pichaliteP Offline
    pichalite Plugin & Theme Dev
    replied to samuelp on last edited by
    #2

    @samuelp does registered-users group have access to the premium only categories?

    S 1 Reply Last reply
    0
  • S Offline
    S Offline
    samuelp
    replied to pichalite on last edited by
    #3

    @pichalite The permissions are set where registered users have "Find Category" and "Access Category" set, but nothing else like "Access Topic", etc.

    I want non-premium members to be able to see the categories and even the topic listings, just not any of the actual topic posts or replies.
    Right now also in addition to the loopholes above, the "most recent posts" reveals some of the posts (but not enough to bother me much)...

    I suppose a lot of this could be fixed by programming a custom template....

    1 Reply Last reply
    0

Copyright © 2023 NodeBB | Contributors
  • Login

  • Don't have an account? Register

  • Login or register to search.
Powered by NodeBB Contributors
  • First post
    Last post
0
  • Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development