last post title on profile page violates permissions Issue Tools
issueid=27548 Fri 3rd Apr '09 2:30am
vBulletin Team
last post title on profile page violates permissions
Enable this:

Admin CP -> vBulletin Options -> User Profile Options -> Show Last Post on Profile Page

Now the title of a user's last post will be visible in the statistics tab of their profile page. If the user who is viewing the profile page has the Can View Forum permission but no other permissions for the forum containing the user's last post then they can see the title of the last post even though they can't access the thread.
Issue Details
Issue Type Bug
Project vBulletin
Category User Groups / Permissions
Status Fixed (Closed)
Priority 7
Affected Version 3.8.2
Fixed Version 3.8.3
Users able to reproduce bug 4
Users unable to reproduce bug 1
Attachments 1
Assigned Users Mike Sullivan
Tags fixed 3.7.7

Fri 3rd Apr '09 2:41am
Senior Member
  
Thank you Jake.
Reply
Fri 3rd Apr '09 7:20am
vBulletin Team
  
If they already have the can view forum permission, they can already see the thread listing (IE: forumdisplay.php?f=x ) anyways... so they're not getting any escalated permissions. It'd be different if they can view part of the post via alt text though.
Reply
Fri 3rd Apr '09 7:52am
Former vBulletin Developer
  
What Andy says is correct, though it's missing a forum password and a canviewothers check. With canviewothers = false, the user won't be able to see posts by other users in that forum.
Reply
Fri 3rd Apr '09 1:23pm
Senior Member
  
Also canviewthreadcontent=false should block threads or posts from being seen.
Reply
Thu 9th Apr '09 7:50am
Former vBulletin Developer
  
Fixed now. (Patch below.)
Reply
Fri 10th Apr '09 1:21am
Senior Member
  
Tested,.. and a sincere thank you.
Reply
Reply