Guests able to subscribe to topics using active topics
Guests able to subscribe to topics using active topics
The active topics page doesn't appear to have checks on it to make sure a user is logged in before allowing the subscription to threads and the display of the watch/unwatch column. While this isn't a security problem (the redundant guest ID is simply being added to the watched topics table in the db which then does nothing wrt mailing out when a thread is replied to) it should still be fixed though *looks at neo because it's his mod*
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
Nope, it just means that when a user watches/unwatches a topic there is no check to see if a user is logged in. What topics are displayed etc are still tied to the user, as Kieran says, there is no security issue.Shotokan101 wrote:Does it show "ALL" topics to guest then - including the Private ones ?
Thanks for the heads up Kieran (although it might have been better to mention it before, when you checked it ) I will add a little check to see if a user is logged in
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
Neo is right, it is not a permissions issue wrt viewing or subscribing to private/registered user only forums, simply a case of guests being able to pointlessly subscribe to public forums.Neo wrote:Nope, it just means that when a user watches/unwatches a topic there is no check to see if a user is logged in. What topics are displayed etc are still tied to the user, as Kieran says, there is no security issue.Shotokan101 wrote:Does it show "ALL" topics to guest then - including the Private ones ?
Thanks for looking into it; sorry I didn't mention it before, but you see when I said I checked it, I check important things like perms and phpBB guidelines. I had a lot of work on and so couldn't check it to the nth degreeNeo wrote:Thanks for the heads up Kieran (although it might have been better to mention it before, when you checked it ) I will add a little check to see if a user is logged in
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
Yeah, I know you've got other commitments, no need to explainKieran wrote:Thanks for looking into it; sorry I didn't mention it before, but you see when I said I checked it, I check important things like perms and phpBB guidelines. I had a lot of work on and so couldn't check it to the nth degree
It should be OK now - it asks you to log in and then if you log in it redirects you to the 'active topics' page - Is that good enough?
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
Ideally the whole column should be made to hide when logged out and the rogue guest entries removed from the database.... BUT that takes some doing with switches and needs db access, so I have flagged this thread and will sort the rest at somepoint. Its fine for now
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
I can hide the 'watch' column if a user is logged out, but I'll let you clean up the db
I presume it's OK to simply 'not use' the watch column part of the template when the page is viewed by a guest?
I presume it's OK to simply 'not use' the watch column part of the template when the page is viewed by a guest?
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
I will do it later
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
DoneKieran wrote:Ideally the whole column should be made to hide when logged out...
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
Thats great Neo - just the job
Closing thread as issue resolved.
Closing thread as issue resolved.
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!