I have different forum areas with different access levels. The problem is that under discover/newest activities all topics are listed even if they are from areas the user has to permission for and which are not listed on the overview page.

Like it on Facebook, Tweet it or share this topic on other bookmarking websites.
  • Re: security issue: people see title and start of topics they are not allowed to

    by » one month ago


    The activities are shown from all activities with short intro. Further the activities do not record topic/category ids but only the activity description. Hence you can't enforce the permissions on activities displayed. if you are using different permissions for different forums and don't want to display the short intro of the activity, it is better not to use activity stream.


    Follow me on twitter: https://twitter.com/corejoomla
    If you use our extensions, please post a rating and a review at the Joomla! Extensions Directory.
    SurveysCjForum | Polls | Answers | Quizzes | Quotes | GPS Tools | Sociable


  • Re: security issue: people see title and start of topics they are not allowed to

    by » one month ago


    To deactivate the activity stream was the first thing I did after discovering the problem.  But it cannot be the solution to deactivate the features of the forum.

    I am a bit desperate because of the various problems with the rights management. For me this a substantial part of a forum that the ACL is integrated and the security of the topics is provided based on the ACL.  If you prefer, I enter this as feature request additionally.  These are two of the problems I encountered:

    • (problem mentioned above:) people see activities (topics, replies, feedback) in the activity stream they have no permission to open.
    • If a topic was created with a restricted Joomla access level  all users having subscribed to the category got informed even though they might not have the necessary access level to read the topic (https://www.corejoomla.com/forum/support/cjforum/17771-post-information-goes-to-people-without-the-necessary-access-level.html)

    I suggest that

    • you can choose a standard access level for all topics and the replies in the settings. All new topics should have this access level if it is not customized in a certain topic. All topics of a forum should inherit the permissions of the (parent) forum.
    • you can choose a different access level for a certain topic and the replies to it.
    • people having subscribed to a forum or category become informed of new topics or answers depending on the usergroup they are in and the access level bound it.
    • the activity stream shows activities to user depending on his usergroup and the corresponding access levels

     


  • Re: security issue: people see title and start of topics they are not allowed to

    by » one month ago


    Please post a feature request. I will enhance the activity stream to get the access level of the topic when displaying them.


    Follow me on twitter: https://twitter.com/corejoomla
    If you use our extensions, please post a rating and a review at the Joomla! Extensions Directory.
    SurveysCjForum | Polls | Answers | Quizzes | Quotes | GPS Tools | Sociable


You do not have permissions to reply to this topic.
Powered by CjForum