Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9036

Forums that can be listed but not read expose forum information

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.x
    • Fix Version/s: 3.0.10-RC1
    • Component/s: Viewing forums
    • Labels:
      None

      Description

      If you setup a forum to be private for a specific group and all other groups can see the forum on the index but can't read it (f_list = true && f_read = false). The forum index still shows all information with regards to that forum on the index (Number of posts/topic, last post information).

      1. bug-56995.diff
        0.8 kB
        Erik Frèrejean

        Activity

        Hide
        Erik Frèrejean Erik Frèrejean added a comment -

        This proposed patch adds a template variable so that the default phpBB behavior isn't changed but it allows template authors to serve different information if this case arises.

        Show
        Erik Frèrejean Erik Frèrejean added a comment - This proposed patch adds a template variable so that the default phpBB behavior isn't changed but it allows template authors to serve different information if this case arises.
        Hide
        nickvergessen Joas Schilling added a comment -

        I think S_IS_HIDDEN is not the right description. Maybe S_NOT_AUTH_READ or something like that, and why don't you make it a one liner:

        'S_IS_HIDDEN'		=> ($auth->acl_get('!f_read', $row['forum_id'])),

        Show
        nickvergessen Joas Schilling added a comment - I think S_IS_HIDDEN is not the right description. Maybe S_NOT_AUTH_READ or something like that, and why don't you make it a one liner: 'S_IS_HIDDEN' => ($auth->acl_get('!f_read', $row['forum_id'])),
        Hide
        Erik Frèrejean Erik Frèrejean added a comment -

        Well yah that is even better, this was just the quick fix I used on one of my boards. Although a more describing name might be better to be used in the core product .

        Show
        Erik Frèrejean Erik Frèrejean added a comment - Well yah that is even better, this was just the quick fix I used on one of my boards. Although a more describing name might be better to be used in the core product .
        Hide
        ToonArmy Chris Smith added a comment -

        Authentication related decisions don't belong in presentation. I seem to remember a bug about this in the past.

        Show
        ToonArmy Chris Smith added a comment - Authentication related decisions don't belong in presentation. I seem to remember a bug about this in the past.
        Hide
        Erik Frèrejean Erik Frèrejean added a comment -

        Well you could do something like this thats a small hack I wrote before I remembered doing this for an other board.

        Show
        Erik Frèrejean Erik Frèrejean added a comment - Well you could do something like this thats a small hack I wrote before I remembered doing this for an other board.
        Hide
        narqelion narqelion [X] (Inactive) added a comment -

        How is this even a bug? Perhaps I am missing something here but isn't this scenario already perfectly handled by permissions?

        Scenario 1:

        Admin wishes to "tease" by showing a forum exists but does not wish for everyone to be able to read the forum. I saw requests for how to set this up quite regularly in Support. A dangle the carrot type of approach to get people to post for advanced access or premium content.
        Solution: Can see forum = Yes/Can read forum=No

        Scenario 2:

        Admin wishes to completely hide private forums from all but permitted groups.
        Solution: Can see forum=No/Can read forum=No

        Scenario 3: (apparently the case used in this ticket)

        Admin wishes to arbitrarily hide/display # topics/posts or last post information based on forum and/or group permissions.
        Solution: MOD/style edits

        Show
        narqelion narqelion [X] (Inactive) added a comment - How is this even a bug? Perhaps I am missing something here but isn't this scenario already perfectly handled by permissions? Scenario 1: Admin wishes to "tease" by showing a forum exists but does not wish for everyone to be able to read the forum. I saw requests for how to set this up quite regularly in Support. A dangle the carrot type of approach to get people to post for advanced access or premium content. Solution: Can see forum = Yes/Can read forum=No Scenario 2: Admin wishes to completely hide private forums from all but permitted groups. Solution: Can see forum=No/Can read forum=No Scenario 3: (apparently the case used in this ticket) Admin wishes to arbitrarily hide/display # topics/posts or last post information based on forum and/or group permissions. Solution: MOD/style edits
        Hide
        Erik Frèrejean Erik Frèrejean added a comment -

        Yes it is case 3, but the problem is that phpBB doesn't include a way to hide this information (through a simple style edit). Hence it is leaking information the user shouldn't be seeing in the beginning. Why display the last post while the user isn't allowed to see the content of the forum at all.
        IMHO phpBB should at least provide a way for admins to easily hide this information or (even better) not leak the data at all when these permissions are set.

        Show
        Erik Frèrejean Erik Frèrejean added a comment - Yes it is case 3, but the problem is that phpBB doesn't include a way to hide this information (through a simple style edit) . Hence it is leaking information the user shouldn't be seeing in the beginning. Why display the last post while the user isn't allowed to see the content of the forum at all. IMHO phpBB should at least provide a way for admins to easily hide this information or (even better) not leak the data at all when these permissions are set.
        Hide
        naderman Nils Adermann added a comment -

        Well as explained in the previous comment, this "leaking" is actually desired behaviour. The situation you are describing is less likely to occur based on support requests. I'm fine with adding the template variable, but prosilver should stay as is.

        Show
        naderman Nils Adermann added a comment - Well as explained in the previous comment, this "leaking" is actually desired behaviour. The situation you are describing is less likely to occur based on support requests. I'm fine with adding the template variable, but prosilver should stay as is.

          People

          • Assignee:
            nickvergessen Joas Schilling
            Reporter:
            Erik Frèrejean Erik Frèrejean
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development