Question Posts in private / restricted boards visible to general public through User Activity and Recent Post

One of my users who is just a user, and has no special access to any private areas restricted by User Groups, has noted that he can see information about posts made on boards he does not have access to, specifically the subjects, or that someone is reading them.

For example, on the Main Board index, on the right most side, where it lists "Last Post," the subject of the last post made on a child board will be displayed, even if the viewer does not have access to that child board.

For example: www.knightrealms.com/forum/index.html

At the bottom, under "Private Boards" are about a dozen child boards, each protected by User Groups. But the name / subject of the last post is still showing up on the Main Index, visible to all, even when a viewer is not logged in. (The actual board "Private Boards" is locked, and no one posts there. It's merely a container for the sub-boards. It has two old posts describing why it's locked, but no recent content.)

This is a potential privacy / security issue - any way it can be escalated for a quick resolution?

[hr]

Database collation check: The collation of your table fields are correct

Legacy mode: Disabled | Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information

htaccess: Exists | PHP environment: Max execution time: 30 seconds | Max execution memory: 64M | Max file upload: 200M

Joomla default template details : knightrealms | author: Geoffrey Schaller | version: 1.7.0 | creationdate: 12th August 2011

Kunena default template details : Travance | author: Geoffrey J. Schaller | version: 1.7.1 | creationdate: 2011-12-30

Kunena version detailled: Installed version: 1.7.1 | Build: 5162 | Version name: UnderUret | Kunena detailled configuration:

Warning: Spoiler!

[th]Kunena config settings:[/th]

board_offline	0
board_ofset	0
enablerss	0
enablepdf	0
threads_per_page	30
messages_per_page	30
messages_per_page_search	30
showhistory	1
historylimit	30
shownew	1
jmambot	1
disemoticons	0
template	travance
showannouncement	0
avataroncat	0
catimagepath	category_images/
showchildcaticon	0
annmodid	62
rtewidth	450
rteheight	300
enableforumjump	1
reportmsg	1
username	0
askemail	1
showemail	0
showuserstats	1
showkarma	0
useredit	1
useredittime	0
useredittimegrace	600
editmarkup	1
allowsubscriptions	1
subscriptionschecked	0
allowfavorites	1
maxsubject	50
maxsig	300
regonly	0
changename	1
pubwrite	0
floodprotection	0
mailmod	0
mailadmin	0
captcha	0
mailfull	1
allowavatar	1
allowavatarupload	0
allowavatargallery	1
avatarquality	90
avatarsize	2048
allowimageupload	0
allowimageregupload	1
imageheight	800
imagewidth	800
imagesize	128
allowfileupload	0
allowfileregupload	1
filetypes	txt,rtf,pdf,zip,tar.gz,tgz,tar.bz2
filesize	128
showranking	1
rankimages	1
avatar_src	fb
fb_profile	fb
pm_component	no
userlist_rows	30
userlist_online	1
userlist_avatar	1
userlist_name	1
userlist_username	0
userlist_posts	1
userlist_karma	0
userlist_email	0
userlist_usertype	1
userlist_joindate	1
userlist_lastvisitdate	1
userlist_userhits	0
latestcategory	0
showstats	1
showwhoisonline	0
showgenstats	1
showpopuserstats	1
popusercount	5
showpopsubjectstats	1
popsubjectcount	5
usernamechange	1
rules_infb	1
rules_cid	351
help_infb	1
help_cid	1
showspoilertag	1
showvideotag	1
showebaytag	1
trimlongurls	1
trimlongurlsfront	40
trimlongurlsback	20
autoembedyoutube	1
autoembedebay	1
ebaylanguagecode	en-us
fbsessiontimeout	1800
highlightcode	0
rss_type	topic
rss_timelimit	month
rss_limit	100
rss_included_categories
rss_excluded_categories
rss_specification	rss2.0
rss_allow_html	1
rss_author_format	name
rss_author_in_title	1
rss_word_count	0
rss_old_titles	1
rss_cache	900
fbdefaultpage	recent
default_sort	asc
alphauserpointsnumchars	0
sef	1
sefcats	1
sefutf8	1
showimgforguest	1
showfileforguest	1
pollnboptions	4
pollallowvoteone	1
pollenabled	1
poppollscount	5
showpoppollstats	1
polltimebtvotes	00:15:00
pollnbvotesbyuser	100
pollresultsuserslist	1
maxpersotext	50
ordering_system	replyid
post_dateformat	datetime_today
post_dateformat_hover	datetime_today
hide_ip	1
js_actstr_integration	0
imagetypes	jpg,jpeg,gif,png
checkmimetypes	1
imagemimetypes	image/jpeg,image/jpg,image/gif,image/png
imagequality	50
thumbheight	150
thumbwidth	150
hideuserprofileinfo	put_empty
integration_access	joomla
integration_login	joomla
integration_avatar	kunena
integration_profile	kunena
integration_private	uddeim
integration_activity	none
boxghostmessage	0
userdeletetmessage	2
latestcategory_in	1
topicicons	0
onlineusers	1
debug	0
catsautosubscribed	0
showbannedreason	0
version_check	1
showthankyou	1
showpopthankyoustats	1
popthankscount	5
mod_see_deleted	0
bbcode_img_secure	text
listcat_show_moderators	1
lightbox	0
activity_limit	0
show_list_time	720
show_session_type	1
show_session_starttime	0
userlist_allowed	1
userlist_count_users	3
enable_threaded_layouts	0
category_subscriptions	topic
topic_subscriptions	first
pubprofile	0
thankyou_max	10
email_recipient_count	0
email_recipient_privacy	bcc
email_visible_address	[email protected]
captcha_post_limit	0

Third-party components: UddeIm 2.6

Third-party SEF components: None

Plugins: System - Mootools Upgrade: Disabled | System - Mootools12: Disabled | Kunena Search 1.7.1

Modules: Kunena Stats 1.7.1 | Kunena Login 1.7.1

I'm not sure exactly what is problem or the cause of it. I do not understand what you mean by a user being able to view topics in a category or a sub-category that a user should not be able to access. Most probably this has something to do with the way your categories have been defined in the Kunena Category Manager (see Sections, Categories, sub-Categories (Part 1) ).

Could you post a screen shot of the configuration of the category (or sub-category) that is involved in this case, please?

Here's an example - viewing the forum as a Guest, not logged in, I can see the following information on the index of the main boards (Attachment 1).





The post "Floors of the Inverted Tower" was made on a board, "Scholar's Guild", which is a sub-board of Private Boards. It is restricted to the User Group "Scholar's Guild" only, and cannot be accessed by clicking on the message - if you click on it, you get a message saying "You do not have permissions to access this page." and asking you to log in.

The configuration for the board is in Attachment 2.





The post itself is private, but the subject, who posted it, and the board it is on are visible (the latter by the URL of the link to the post). What this means is that someone can see the subject, board name, and poster for a possibly sensitive post, even if they can't see the body.

The example I gave is for a game - it shows a secret post in a D&D style game by a hidden group of scholars. But there's much larger implications - if the staff of the game is discussing a problem of a sensitive nature, the discussion would become public knowledge, even if the contents of the post are not.

Check the access permissions in the category Private Boards and, likewise, the access permissions in the category Scholar's Guild.

The image you've posted shows that the Private Boards is locked. This means that if a user can view the topics, they can't post topics/replies in that category. The Scholar's Guild category is not locked but it only means that, if a user can view topics, they can post topics in that category. The question is whether the user can view topics.

Normally - i.e. unless you have a reason not to - categories should be "moderated" (this changes the tick/cross in the second column). Most forums that I've used normally have all categories moderated. I don't think this has a bearing on the case but I offer it as a suggestion to you, anyway.

The part that affects viewing access is the Permissions tab for each of those two categories. That is really the image (or images) that I wanted to see.

However, the first image you posted is, I think, the key to understanding the question. I think it's because the "Last post" information shows that a message was posted in a private sub-category, this is the "security" problem that you're discussing.

Again, I say, I'm trying to understand specifically what is the problem here. Is the problem that a user can view topics or is the problem that the "Last post" information shows that there was a message posted in a private sub-category? I think it's the latter issue that is the problem here. have I correctly summarised the situation in your case?

It's the latter (the Last Post issue)... they can't view the post, but they can still see who made it, and what it is about, from the Last Post on the Main Index. The second part of your statement is correct.

For the Permissions Tab - you can see from my 2nd Attachment that the only group that has access is "Scholar's Guild," where Private Boards is Public.

If it will help you, go to: www.knightrealms.com/forum/index.html

Do NOT register, and click on the "Last Post" link - you won't be able to read the post, but you can still learn a lot about it from looking at the link and the information on the index.

Yes, I now understand the problem. Even though you cannot view the contents of the topic, you can still see that a message was posted and the subject of that message.

A couple of things. First of all, I understand what you are talking about (only because I have been using Kunena for a few years) but many of the newer members of this forum will be mystified by some of the terminology that we're using. Even though I understand that "child boards" = sub-categories, it helps if we use the same terminology. For the benefit of other people looking at this topic, who want to understand the problem and how to resolve it, they should read Standard consistent terminology .

There is an issue if the parent category has permissions that are more "relaxed" than a sub-category may have.

Let's work through an example. Let's say you have two groups of users:
(1) Type A users who can view topics in the Private Boards; and
(2) Type B users who can view topics in the Scholar's Guild.

Typically, Type A users are a subset of Type B users. For example, Type B users might be registered users but, of course, registered users are a subset of "guests". So, in the case of sub-categories, if a guest can see all the categories, even if they can't view the sub-categories in those categories, they will see "evidence" of message activity in those sub-categories.

There's a fundamental principle in security (of any kind): "The best way to keep a secret is not to tell people that you have a secret." Therefore, the best way to resolve the problem is to hide the fact that you have a category called Private Boards. The way to do that is to ensure that the access to any sub-categories lying below a parent category have the same permissions as the parent category. If you want the Private Boards to be truly "private" set the permissions on that category to be the same as the permissions on the Scholar's Guild.

There's a limitation on the degree to which you can totally keep things totally "secret" in Kunena. We are aware of this limitation but, at the moment, there isn't a way to apply the granularity of security in the way that you have illustrated.

As a workaround, I would create a new section (called Private Boards). In that section I would have two categories.
(1) A category for "rules", general information, etc.; and
(2) A category for your Scholar's Guild

If you do that guests can still see the "rules", etc., but they won't see any evidence of activity in the Scholar's Guild. For that matter, they won't even know that a category Scholar's Guild exists (unless you post a message somewhere else that refers to that category.

Is my explanation reasonably clear to you?