• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

REALLY Very Serious Bug!

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I recently installed 2.1.7 from CVS.

I just found that the "Delete" button is available to ALL NOT LOGGED USERS!
So every user can remove existing messages in the forum!
Some threads were already removed in my forum. :twisted:

I re-saved all permissions in Admin Panel, but this doesn't helped.


HELP !!!
[originally posted on jforum.net by Evgeny]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Update: more badly everyone, including unregistered users, become an administrator after the update and was being able to enter the Control Panel.

All permissions were reseted in the General Group after the update from CVS.

I just set again all permissions in the General Group and this fixed the problem. However I have no idea who removed some threads in my forum and what else they did, if they do, in the Admin Panel.

:?
[originally posted on jforum.net by Evgeny]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's strange. The only way the anonymous user could delete a message is if the "General" group had such rights.

I did some checking, and coulnd't find anything wrong with the code.

I'll check again just to make sure, but it appears to be just a mistake while editing the permissions.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Exactly, the "General" group got such rights after I updated JForum 2.1.7 from CVS.

Since I not modified the rights myself, I also not checked the rights after the update. But all rights were changed, I suppose during the upgrade, to the same rights as in the Admin group.

Fortunatey I had a data backup and restored all messages...
[originally posted on jforum.net by Evgeny]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi-

I thought this was a new feature in 2.1.7.

Yeah, group General has Admin rights by default.

I have to immediately turn Admin rights off for Group General when making a new forum with 2.1.7


[originally posted on jforum.net by MyJForum]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This wasn't supposed to be like this. I'll check the upgrade scripts, so this won't happen in the final version.

Thanks for reporting.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
I'm full of tinier men! And a tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic