It seems the Last 5 Center Combined block lists the last 5 active topics from ALL forums, and not just those the user has permission to see.
So, if you have a private forum, the general users still get to see the topic names of topics in the private forum, even though they are only supposed to be able to see that the forum exists and nothing else.
Has anyone come up with a mod to correct this problem? Or could someone help me to correct it?
$result = $db->sql_query("SELECT
t.topic_id, t.topic_last_post_id, t.topic_title, t.topic_views, t.topic_replies,
a.username AS authorname, a.user_id AS authorid,
p.poster_id, p.post_time as post_time
FROM ($prefix".(($forums_pro==1) ? $dfp.'_topics' : '_bbtopics')." t, $prefix".(($forums_pro==1) ? $dfp.'_forums' : '_bbforums')." f)
LEFT JOIN $prefix".(($forums_pro==1) ? $dfp.'_posts' : '_bbposts')." p ON (p.post_id = t.topic_last_post_id)
LEFT JOIN ".$user_prefix."_users u ON (u.user_id = p.poster_id)
LEFT JOIN ".$user_prefix."_users a ON (a.user_id = t.topic_poster)
WHERE t.forum_id=f.forum_id $view ORDER BY t.topic_last_post_id DESC LIMIT 10");
But this query retrieves the details of topics the user doesn't have permission to see.
That is, there is no permission checks built into the query.
Even a user who isn't registered and/or not logged in gets to see the topic name of topics in forums they don't have permission to view or read.
Sure they won't be able to follow the links and read the topics, but they shouldn't even get to see the topics exist unless they have the appropriate permission.
It represents a security breech of the permissions system.
I understand that DJ Maze helped Phoenix to come up with this SQL Query. I'm hoping that they, or someone else that understands it all better than me, may be able to come up with a version that solves this security issue.