Anonymous direct access to Forum posts despite the "hide to

Anonymous direct access to Forum posts despite the "hide to anonymous" setting at module level

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

What operating system were you running when the bug appeared?
What database platform is your site using?
What version of mojoPortal are you running?
What version of .NET do you use?
What steps are necessary to reproduce the issue? Compare expected results vs actual results.

This thread is closed to new posts. You must sign in to post in the forums.

7/17/2009 3:33:13 AM

Diego Mora

Total Posts 149

View Posts

mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Anonymous direct access to Forum posts despite the "hide to anonymous" setting at module level

Hi Joe,

Within a page that allows anonymous access I placed several features, including a Forum module.

The forum should be reserved to registered members only therefore I checked the "Hide to anonymous flag".

Through normal browsing, access permissions are correctly applied but anonymous can access both directly and from the search results to the post URL, despite the module secuity settings.

It seems a problem silimar to a prevoius bug you already fixed http://www.mojoportal.com/Forums/Thread.aspx?thread=3170&mid=34&pageid=5&ItemID=2

Regards.
Diego

7/17/2009 6:55:55 AM

Joe Audette

Total Posts 18439

View Posts

Re: Anonymous direct access to Forum posts despite the "hide to anonymous" setting at module level

Hi Diego,

Hide From Authenticated or Hide From Anonymous were never meant to enforce security they are meant for cosmetic usage only. If you want to enforce permissions you should use view roles.

Best,

Joe

7/17/2009 7:23:10 AM

Diego Mora

Total Posts 149

View Posts

mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Re: Anonymous direct access to Forum posts despite the "hide to anonymous" setting at module level

Joe,

Apparently nothing changes by resetting General / Hide From Anonymous Users? to (_) and setting module Security / Roles that can view this content to:
(_) All Users
(X) Authenticated Users

Anonymous can still directly access a post URL within the forum module (i.e. in case a registered user forwards a reply notification e-mail to others)and Search results show the post link as available resource.

Try this:
http://www.effectiveweb.it/Forums/Thread.aspx?thread=7&mid=18&pageid=10&ItemID=6&pagenumber=1#post8

7/17/2009 8:53:35 AM

Joe Audette

Total Posts 18439

View Posts

Re: Anonymous direct access to Forum posts despite the "hide to anonymous" setting at module level

Hi Diego,

You are right this is a bug, the Thread.aspx page is only enforcing page view permissions not module view permissions. To fix it I will change this code:

if (!UserCanViewPage())
{
if (!Request.IsAuthenticated)
{
SiteUtils.RedirectToLoginPage();
}
else
{
SiteUtils.RedirectToAccessDeniedPage();
}
return;
}

to this:

if (!UserCanViewPage(moduleId))
{
if (!Request.IsAuthenticated)
{
SiteUtils.RedirectToLoginPage();
}
else
{
SiteUtils.RedirectToAccessDeniedPage();
}
return;
}

passing in the moduleid validates the module permissions in addition to the page view permissions.

Thanks,

Joe

You must sign in to post in the forums. This thread is closed to new posts.