Here's the problem:

1. Member1 posts in a thread or starts a thread and selects email notification when there are replies.

2. Forum becomes private, or meber1 loses access to that forum (but not banned), or thread is moved to a private forum

3. Another member , member2, with access to the forum replies to the original thread.

4. Member1, receives email notification, stating member2 replied to [thread name] in forum[private forum name]. and to read that reply, visit [link to private thread]

5. Member1 get's error message that they can't access the thread.

Worst case scenario from step 2, is if the thread is moved to a hidden private forum, that member1 didn't know about.

Then they get an email revealing the name of the hidden private forum [trash, idiotic posts, troll whatch list, or something like this :) ], and the name of the person replying to [revealing who has access to that forum, or who most likely moved the thread]

Not sure what the vB3 code looks like, but it may even divulge (if not fixed) the content of the post, or part of it, since the notification in vB3 will enclode contents from the post.

I think this is a bug, as it reveals private information. Members should not be notified about posts/threads in private forums they cannot (no longer) access, nor divulge further details.

So, bug or no bug? :)

I would say it's a feature.
Should be looked at though.

I'll move this to the Bugs forum so a Dev can have a look at it.

Originally posted by tamarian
I think this is a bug, as it reveals private information. Members should not be notified about posts/threads in private forums they cannot (no longer) access, nor divulge further details.

I'm fairly certain that we had tested this in past versions of vBulletin to ensure this wouldn't happen and found that it didn't, however perhaps I'm mistaken or this was introduced as a new bug in a later version.

I'll try to recreate this. This is unacceptable on our forums.

Best wishes,
Paul

I cannot reproduce this. What version are you using? Have you modified your forum code? Has anyone been able to successfully recreate this as a bug? Steve?

I took a glace at the code in functions.php (where the sendnotification() function is located). Specifically:


$useremails=$DB_site->query("SELECT user.*
FROM subscribethread,user,usergroup
WHERE subscribethread.threadid='$threadid'
AND subscribethread.userid=user.userid
AND usergroup.usergroupid=user.usergroupid
AND user.userid<>'$userid'
AND user.usergroupid<>'3'
AND usergroup.canview = 1
AND user.lastactivity>'$lastposttime[dateline]'");


"AND usergroup.canview = 1" will only return e-mail addresses from users who have "view" permissions on the particular forum in question. I wonder if your problem is related to sub-forum permissions inheritance? Have you explicitedly set permissions on nested forums? I believe that is a known design issue with vB2.x which will not be addressed until vB3.

Originally posted by LoveShack
I took a glace at the code in functions.php (where the sendnotification() function is located). Specifically:


$useremails=$DB_site->query("SELECT user.*
FROM subscribethread,user,usergroup
WHERE subscribethread.threadid='$threadid'
AND subscribethread.userid=user.userid
AND usergroup.usergroupid=user.usergroupid
AND user.userid<>'$userid'
AND user.usergroupid<>'3'
AND usergroup.canview = 1
AND user.lastactivity>'$lastposttime[dateline]'");


"AND usergroup.canview = 1" will only return e-mail addresses from users who have "view" permissions on the particular forum in question. I wonder if your problem is related to sub-forum permissions inheritance? Have you explicitedly set permissions on nested forums? I believe that is a known design issue with vB2.x which will not be addressed until vB3.

Does the canview get updated when you hide a forum, change access permissions for a group and/or move a thread to a hidden subforum?

My forum is hacked, and 2.2.9, but I don't see any hack related to this behaviour. I'll be glad to try to reproduce any of the cominations above on a standard vB, but I'm on the move to a new server :) shortly and might take a few days.

Originally posted by tamarian
Does the canview get updated when you hide a forum, change access permissions for a group and/or move a thread to a hidden subforum?

I have no idea.. If I get a chance, I'll play around with it tomorrow afternoon and see if I can reproduce it that way. I do recall seeing numerous messages regarding settings not being applied to nested forums.

My forum is hacked, and 2.2.9, but I don't see any hack related to this behaviour. I'll be glad to try to reproduce any of the cominations above on a standard vB, but I'm on the move to a new server :) shortly and might take a few days.

Well, your hacks might have broken something--anytime you modify the base code you're going to run the risk of that. My guess, however, is simply that this is another manifestation of the known permissions problem. As a workaround, try setting specific permissions on your sub-forums and see if you can still reproduce this error.

Best wishes,
Paul

the code is there in vB2 just its commented out its in postings.php under domove

I'm investigating now.

just uncomment the code from line 422 - 436

Originally posted by Scott MacVicar
the code is there in vB2 just its commented out its in postings.php under domove

I'm investigating now.

just uncomment the code from line 422 - 436


What about the case when forum permissions are updated, or a forum/subforum is made private?