[Topic privacy] Messages are readable by guests

Pandos

  • Living on the edge of Wedge
  • Posts: 635
[Topic privacy] Messages are readable by guests
« on June 6th, 2014, 02:54 PM »Last edited on July 6th, 2014, 01:36 PM by Nao
If you set privacy of a new topic e.g. to Global Moderator, all Guests are able to see the complete messages from this topic in "Recent Posts". Also you will see the topic by browsing the forum. But you can't access this topic. So it's not hiding for disallowed membergroups.
# dpkg-reconfigure brain
error: brain is not installed or configured

Sara

  • Walking Contradiction
  • Posts: 41

Nao

  • Dadman with a boy
  • Posts: 16,080
[Topic privacy] Re: Messages are readable by guests
« Reply #2, on July 6th, 2014, 10:47 AM »
No, I didn't even see this topic in the first place... Was is set to a specific privacy? :lol:

Sara

  • Walking Contradiction
  • Posts: 41

Nao

  • Dadman with a boy
  • Posts: 16,080
[Topic privacy] Re: Messages are readable by guests
« Reply #4, on July 6th, 2014, 01:45 PM »
There... Should work now.

I thought I'd moved all of the query_see_topic queries over from Noisen.com, but this clearly shows it wasn't the case.
Because privacy is crucial, it's important that any queries with {db_prefix}messages or {db_prefix}topics in them use {query_see_topic} at some point, UNLESS (1) privacy doesn't matter (no message title or body being shown), or (2) we already know we're within bounds (e.g. a query_see_topic query was launched earlier, and we're working on its results.)

That's still a lot of queries to go through (about 500). I have no idea how I managed to implement that in Noisen... Oh, wait. I didn't have a baby coming up, or a partner leaving me to fix his own stuff, or a public source to be scrutinized by everyone.

For the anecdote, Noisen.com had (and still has) an 'infamous' topic which I created with a very severe privacy ("just me"), and I challenged anyone to tell me the secret word that was in it... Nobody ever found it, meaning my code is just flawless, or they didn't care ah ah.

Please, Pandos and anyone else -- make sure to report anything fishy! Do it my way-- create a test topic, and try to find its content, anywhere!
[Topic privacy] Re: Messages are readable by guests
« Reply #5, on July 6th, 2014, 03:05 PM »
Okay, I think I've found the reason for the problem...

- SMF 2.0 has these bits: topic.approved, and message.approved. If topic is not approved, the first message isn't either, IIRC, so in Recent Messages, the query basically checks for whether the message being retrieved is approved. If yes, then it shows it.
- However, in Wedge, we add topic privacy to the mix. Wedge moved it to {query_see_topic}, and I replaced all of the topic approved tests with a {query_see_topic}. BUT, here's the thing, a topic can be approved and its messages are still undesirable to the end user. So, in addition to {query_see_topic} on topic approvals, I should be doing it selectively on message approvals, replacing them with something else that takes topic privacy and message approval into account.

Not easy... So, I guess the safest way would be for me to go through the Noisen patch, and take it upon myself to ensure everything is implemented. I don't like the idea, but... It's better than a useless topic privacy feature, right..? ;)