FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Profiles and message titles visible to lurkers
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
icon4.gif  Profiles and message titles visible to lurkers [message #16529] Wed, 04 February 2004 04:49 Go to next message
Delta is currently offline  Delta   United States
Messages: 8
Registered: January 2004
Karma: 0
Junior Member
I am assuming this is a bug: With just about every info function turned off on the front page, unregistered users can:

- View the profile of anyone who is noted on the public forums listing of the front page, including moderators and last poster in a forum,

AND

- View the message titles of all the posts of those people, even posts in the "private" forums. The messages themselves are still blocked, but still, lurkers are able to see titles, which is more than would be expected.

This happens with the following settings:

Members list is enabled only for registered users.
Search is enabled only for registered users.
Who's online, etc. are disabled.
Group settings completely disable unregistered users on all functions of the private forums.

Again, I'm assuming this is a bug and not an error in settings. I believe I locked everything up pretty tight. Our members would like to assume that only other members can see their profiles. This seems like a glaring loophole.

I checked the recent updates and did not see these things mentioned, but perhaps I did not understand some jargon. (?)

Thanks!
Re: Profiles and message titles visible to lurkers [message #16537 is a reply to message #16529] Wed, 04 February 2004 14:30 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Delta wrote on Tue, 03 February 2004 23:49

- View the message titles of all the posts of those people, even posts in the "private" forums. The messages themselves are still blocked, but still, lurkers are able to see titles, which is more than would be expected.

Try this: Go into the Group Manager and find the group for the forum you're concerned about. Click on Manage Users, next to it. Click on the Anonymous user, and turn off Visible and Read.
Re: Profiles and message titles visible to lurkers [message #16538 is a reply to message #16537] Wed, 04 February 2004 15:20 Go to previous messageGo to next message
Delta is currently offline  Delta   United States
Messages: 8
Registered: January 2004
Karma: 0
Junior Member
Anonymous users are set to "N" for everything on the private forums. But even so, profiles for any users linked on the front page are visible to all, including anonymous users.

From the profile, anonymous users can view the headings of all of that user's posts, including posts on the private forums.

Any username linked on the front page is vulnerable to this kind of peeping by any anonymous user.

Thanks for the suggestion, though. I'm still stumped.

[Updated on: Wed, 04 February 2004 16:29]

Report message to a moderator

Re: Profiles and message titles visible to lurkers [message #16556 is a reply to message #16538] Thu, 05 February 2004 16:57 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Yeah, I only meant that my suggestion would prevent anons from seeing topics they shouldn't.

Personally, I don't think they should be able to see *any* members in the list. A config option for this would be nice.
Re: Profiles and message titles visible to lurkers [message #16557 is a reply to message #16556] Thu, 05 February 2004 17:09 Go to previous messageGo to next message
Delta is currently offline  Delta   United States
Messages: 8
Registered: January 2004
Karma: 0
Junior Member
The thing is, anon users CAN see the topic headings of all the posts by the user from that person's profile ... so that if the user's profile is linked on the home page in any way, including as latest poster in a public forum, all of their message headings (not bodies) would be viewable as well.

Thanks for the thought. Maybe this is something for the next release?
Re: Profiles and message titles visible to lurkers [message #16559 is a reply to message #16557] Thu, 05 February 2004 18:58 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Ah, now I see. You're right, that does seem like a security flaw.
Re: Profiles and message titles visible to lurkers [message #16601 is a reply to message #16559] Mon, 09 February 2004 19:33 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The user profile displaying is always avaliable. But, the anon user would need to know the id of the user in order to see it.

On the profile page itself if the last message posted by the user was in the private forum it will not be displayed.

For private forums if you take away ALL permissions (including view) from anon users they won't be able to see that that forum completely.


FUDforum Core Developer
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: "RDF_AUTH_ID" variable is placed above "<?php" in GLOBALS.php causing errors.
Next Topic: forum error msg
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 03:48:34 GMT 2024

Total time taken to generate the page: 0.02626 seconds