Users able to view hidden sections

Discussions about the phpBB3 Forum. How to get the best from this powerful script.
Note that there is no official support for phpBB3 here, a place to share more than to ask for.

Moderator: Moderators

Users able to view hidden sections

Postby NoHumorMan » Sun Jan 26, 2014 6:14 pm

Greetings,

I am the creator of the following forum - http://thepropden.aokforums.com/index.php - hosted by - forummate.com - and we have a serious problem with the permission settings in the phpbb3 format. I remember the previous format being much simpler, with fewer options, where user and forum settings and permissions were merged. The current system has the too many permission areas where to change them and when setting them in one area of the admin control panel it overrides the settings made elsewhere.

We currently have users who can see our hidden sections but when viewing their profile permission we cannot see that they can view the hidden forums. This is just not acceptable that we cannot be sure that the sections we choose to hide from members are not visible to them for browsing. The fact that the admin panel has so many features is in my mind the reason why we cannot figure out how to solve the problem and we cannot go through the profile settings of every single user to make sure that they cannot see those particular sections. In the old format, when setting up the forum permissions, you also set up the user permissions as well and it was simple and was safe. It is just too overwhelming now and we need to get this sorted. Our hosting service cannot help us with this as they view it as a phpbb3 issue or glitch.

I would very much like to hear what can be done to ensure that sections chosen only to be viewable by admin and mods cannot and will not be viewable by the members. All the settings seems right, but if it is one permission area overriding another, then we cannot find it and correct it. If it wasn't because we have good members of the forum, we would never have known the issue that hidden sections were visible to user whose setting was set to not being able to view them. I don't know what else to do. I really hope you can help out and hopefully rethink the whole admin panel to make it much simpler, so permission settings for forums and users won't override each other and make a mess of who has permission to see what.

It has been shown that they are able to view it in the active topics list, so how do I remove posts from hidden sections from that view list or prevent them from showing up there in the first place? Any help would be appreciated.

Thanks for listening.

Sincerely,

Carsten Hedegaard
NoHumorMan
 
Posts: 4
Joined: Sun Jan 26, 2014 6:11 pm

Advertisement

Re: Users able to view hidden sections

Postby NoHumorMan » Mon Jan 27, 2014 1:25 pm

Some help would be appreciated? Ever since we were forced over into using phpBB3 we've had nothing but problems! Why was a simple and easy system that worked replaced with this overly complex nightmare?
NoHumorMan
 
Posts: 4
Joined: Sun Jan 26, 2014 6:11 pm

Re: Users able to view hidden sections

Postby HB » Mon Jan 27, 2014 3:51 pm

I agree it's confusing. The "permissions mask" dialog will at least show you why someone has permission:

https://www.phpbb.com/kb/article/phpbb3 ... ons/#MASKS

Usually this happens because you've accidentally given Guests or Registered Users (group) permission.
Dan Kehn
HB
phpBB SEO Team
phpBB SEO Team
 
Posts: 1567
Joined: Mon Oct 16, 2006 2:25 am

Re: Users able to view hidden sections

Postby NoHumorMan » Mon Jan 27, 2014 3:58 pm

All that has been checked and that isn't the cause. Our settings show NO ACCESS to both registered users, newly registered users, guests, bots, everything other than admins. Even the individual user settings show NO ACCESS, so the glitch lies somewhere in the active posts logging code. Why is it showing threads from NO ACCESS sections of the forum anyway, for ANY users? That makes very little sense the security is so lapse.

Image
NoHumorMan
 
Posts: 4
Joined: Sun Jan 26, 2014 6:11 pm

Re: Users able to view hidden sections

Postby HB » Mon Jan 27, 2014 9:03 pm

Perhaps you have a mod that has introduced this problem in "active topics"? It may be worth installing a fresh unmodiifed version of phpBB 3.0.12 in a different folder but with the config.php pointing to the same database. While I agree the permissions settings aren't very friendly, I've never seen a case where the "Trace permission" or the "Test out user's permissions" results were incorrect. If that were the case, given that phpBB is used by hundreds of thousands of people every day, someone besides you would have noticed.
Dan Kehn
HB
phpBB SEO Team
phpBB SEO Team
 
Posts: 1567
Joined: Mon Oct 16, 2006 2:25 am

Re: Users able to view hidden sections

Postby NoHumorMan » Mon Jan 27, 2014 11:33 pm

I cannot say anything about other forums or members of those. We only discovered this because we have users who felt the need to alert us to it. Who knows how many other forums are left wide open because no one reports such issues.

I will ask forummate.com whether your suggestion is an option - I do not want to mess with such things as I do not have the technical know-how for such.

The issue seems to lie in the active posts logging - if for nothing else, wouldn't it be possible to make sure the active posts list didn't display threads from no access sections of a forum?
NoHumorMan
 
Posts: 4
Joined: Sun Jan 26, 2014 6:11 pm

Re: Users able to view hidden sections

Postby HB » Tue Jan 28, 2014 4:23 pm

To suggest such a glaring error would go unnoticed to the thousands (10s of thousands?) of phpBB-based websites is absurd. That's why I suggested installing a "clean" version of phpBB, since mods invariably introduce this sort of regression.

It's not a waste of time - if you want an easier way of verifying, install a test server. How to set up a local server using xampp explains how. It's also a good exercise to compare the "clean" install against your version (WinMerge, Beyond Compare, to name only two, can help). Then you can inventory what changes have been done. Too often website owners don't have a clue what changes have been made, which can be a real tragedy if their server has a harddrive go bad, or hackers, or whatever.

For what it's worth, every month or so I do a "disaster recovery" test that verifies (or not!) that I can really recreate my site from the backups. If you're running a small community site, that may be overkill, but if it's a real business, it's just prudent. You don't want to find out the day after your site craters that you cannot rebuild it.
Dan Kehn
HB
phpBB SEO Team
phpBB SEO Team
 
Posts: 1567
Joined: Mon Oct 16, 2006 2:25 am


Return to phpBB Forum

 


  • Related topics
    Replies
    Views
    Last post

Who is online

Users browsing this forum: YandexBot [Bot] and 12 guests