I've just discovered a logged in user - any user! - can add a poll to an existing thread without even posting in it, let alone starting it.

To prove my point, I've added a poll to tubedogg's sticky thread about regex and code (http://161.58.84.213/forum/showthread.php?s=&threadid=19054) (sorry tubedogg. John can delete it from the db).

The way is very easy: enter the url http://www.domain/forum/poll.php?threadid=xxxxxx whereby xxxxx is the thread id of any existing thread, and you get yourself the option of adding a poll.

Please fix this asap.

Thank you,

Bira

Um yeah that's probably not good. I thought maybe the poll would be closed though, because Bira's test in the other thead added a closed poll, but if the thread is open, it creates an open poll.

Maybe makes this only available to mods & admins? (e.g. check perms before proceeding if the referrer isn't newthread.php).

ok, this is by no means a fix per se, but it's better than nothing (for me at least).

This allows only the thread starter to add a poll (be it when he starts the thread or later):

find:


// check permissions
$permissions=getpermissions($foruminfo[forumid]);
if (!$permissions[canview] or !$permissions[canpostnew] or !$permissions[canpostpoll]) {
// in case someone gets here without permission, we need to update the thread's status


And change it to (change in red):


// check permissions
$permissions=getpermissions($foruminfo[forumid]);
if ($bbuserinfo[userid]!=$threadinfo[postuserid] or !$permissions[canview] or !$permissions[canpostnew] or !$permissions[canpostpoll]) {
// in case someone gets here without permission, we need to update the thread's status


At least I won't have users randomly adding polls to thread they didn't start!

Cheers,

Bira

umm... Hello? Ed? Freddie? John? :p

Yes?

2.0.1 will be released very shortly and this issue is taken care of with that release.

thanks.