Dragonfly CMS v9 ⇒ Modules & Blocks :: Archives ⇒ Last 5 Center Combined Block and Permissions :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexModules & Blocks

Archived ⇒ Last 5 Center Combined Block and Permissions


G'day,

It seems the Last 5 Center Combined block lists the last 5 active topics from ALL forums, and not just those the user has permission to see.

So, if you have a private forum, the general users still get to see the topic names of topics in the private forum, even though they are only supposed to be able to see that the forum exists and nothing else.

Has anyone come up with a mod to correct this problem? Or could someone help me to correct it?

Best Regards, Lloyd Borrett.

Website: www.vsag.org.au
Dragonfly 9.0.6.1 :: MySQL 4.1.21-standard :: PHP 4.4.4
Content Enhanced 9.7.1.0, CPGNuCalendar 2.0.5.2, Delete Members 1.0, DF Maps 0.9.7, DownloadsPro 3.0.0.8, Encyclopedia 2.0.2, FAQ 2.0.2, LinkToUs 1.0.1, ProjectsPro 1.1.0.2, WebLinksPro 1.1.4.2

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.7-1-grsec / 1.3.34 / 4.0.22-standard / 4.4.4 / 9.0.6.1

Last edited by lloyd_borrett on Wed Jun 27, 2007 8:48 am; edited 3 times in total


Are you using the last 5 forumspro center block?

If so, check this out

If not, I think I have seen a few posts in these forums about how to change the last 5 center block.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux | Apache[1.3.37] (Unix) | MySQL[4.1.21] | PHP[4.4.5] | DF[9.1.2.1]


G'day,

I'm not running ForumsPro, so I guess not.

Best Regards, Lloyd Borrett.

Website: www.vsag.org.au
Dragonfly 9.0.6.1 :: MySQL 4.1.21-standard :: PHP 4.4.4
Content Enhanced 9.7.1.0, CPGNuCalendar 2.0.5.2, Delete Members 1.0, DF Maps 0.9.7, DownloadsPro 3.0.0.8, Encyclopedia 2.0.2, FAQ 2.0.2, LinkToUs 1.0.1, ProjectsPro 1.1.0.2, WebLinksPro 1.1.4.2

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.7-1-grsec / 1.3.34 / 4.0.22-standard / 4.4.4 / 9.0.6.1


Sorry, which block is it? Does it come default with DF?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux | Apache[1.3.37] (Unix) | MySQL[4.1.21] | PHP[4.4.5] | DF[9.1.2.1]


Sorry, it's the Last 5 Center Combined block v2.1.1 from www.dragonflycms.no (file block-Last5_Center.php).

I just checked and it wasn't a part of Dragonfly v9.1.2.1.

Best Regards, lloyd Borrett.

Website: www.vsag.org.au
Dragonfly 9.0.6.1 :: MySQL 4.1.21-standard :: PHP 4.4.4
Content Enhanced 9.7.1.0, CPGNuCalendar 2.0.5.2, Delete Members 1.0, DF Maps 0.9.7, DownloadsPro 3.0.0.8, Encyclopedia 2.0.2, FAQ 2.0.2, LinkToUs 1.0.1, ProjectsPro 1.1.0.2, WebLinksPro 1.1.4.2

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.7-1-grsec / 1.3.34 / 4.0.22-standard / 4.4.4 / 9.0.6.1

Last edited by lloyd_borrett on Wed Jun 27, 2007 8:43 am; edited 1 time in total


G'day,

The query being used is...

$result = $db->sql_query("SELECT t.topic_id, t.topic_last_post_id, t.topic_title, t.topic_views, t.topic_replies, u.username, u.user_id, a.username AS authorname, a.user_id AS authorid, p.poster_id, p.post_time as post_time FROM ($prefix".(($forums_pro==1) ? $dfp.'_topics' : '_bbtopics')." t, $prefix".(($forums_pro==1) ? $dfp.'_forums' : '_bbforums')." f) LEFT JOIN $prefix".(($forums_pro==1) ? $dfp.'_posts' : '_bbposts')." p ON (p.post_id = t.topic_last_post_id) LEFT JOIN ".$user_prefix."_users u ON (u.user_id = p.poster_id) LEFT JOIN ".$user_prefix."_users a ON (a.user_id = t.topic_poster) WHERE t.forum_id=f.forum_id $view ORDER BY t.topic_last_post_id DESC LIMIT 10");

But this query retrieves the details of topics the user doesn't have permission to see.

That is, there is no permission checks built into the query.

Best Regards, Lloyd Borrett.

Website: www.vsag.org.au
Dragonfly 9.0.6.1 :: MySQL 4.1.21-standard :: PHP 4.4.4
Content Enhanced 9.7.1.0, CPGNuCalendar 2.0.5.2, Delete Members 1.0, DF Maps 0.9.7, DownloadsPro 3.0.0.8, Encyclopedia 2.0.2, FAQ 2.0.2, LinkToUs 1.0.1, ProjectsPro 1.1.0.2, WebLinksPro 1.1.4.2

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.7-1-grsec / 1.3.34 / 4.0.22-standard / 4.4.4 / 9.0.6.1

Last edited by lloyd_borrett on Wed Jun 27, 2007 8:45 am; edited 3 times in total


I think you can view restricted posts if you are logged in.
Try logging out and check again.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux, Apache 2.0, SQL 5.0.86-log (client: 4.1.22), PHP 5.2.11 DF 9.2.1


G'day,

Even a user who isn't registered and/or not logged in gets to see the topic name of topics in forums they don't have permission to view or read.

Sure they won't be able to follow the links and read the topics, but they shouldn't even get to see the topics exist unless they have the appropriate permission.

It represents a security breech of the permissions system.

I understand that DJ Maze helped Phoenix to come up with this SQL Query. I'm hoping that they, or someone else that understands it all better than me, may be able to come up with a version that solves this security issue.

Best Regards, Lloyd Borrett.

Website: www.vsag.org.au
Dragonfly 9.0.6.1 :: MySQL 4.1.21-standard :: PHP 4.4.4
Content Enhanced 9.7.1.0, CPGNuCalendar 2.0.5.2, Delete Members 1.0, DF Maps 0.9.7, DownloadsPro 3.0.0.8, Encyclopedia 2.0.2, FAQ 2.0.2, LinkToUs 1.0.1, ProjectsPro 1.1.0.2, WebLinksPro 1.1.4.2

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.7-1-grsec / 1.3.34 / 4.0.22-standard / 4.4.4 / 9.0.6.1

All times are UTC