Question Posts in private / restricted boards visible to general public through User Activity and Recent Post

GJSchaller wrote: I noticed that private posts are also hidden in the Recent Topics listing, as well as a user's profile - this means it's possible to hide them, and the code is already implemented in other parts of the Kunena component. It just needs to be applied to the "Last Post" portion of the Index.

Actually that's not wholly correct.

Let's say you have three groups of users:

Group name	Definition
Type 1	Guests
Type 2	└    Registered-normal
Type 3	└    Registered-Special

Let's suppose you have a category structure like this:

Section/Category Name	"Restricted" to
Section A	Type 1 users
├    Category A1	Type 1 users
└    Category A2	Type 2 users
└    Sub-category A2.1	Type 3 users

This table shows who "sees" what:

User group	Category names indexed/displayed	last post shown	can view topics in
Type1	A1	A1	A1
Type 2	A1 + A2	A1 + A2 + A2.1	A1 + A2
Type 3	A1 + A2 + A2.1	A1 + A2 + A2.1	A1 + A2 + A2.1

So, in one sense there is an issue in what the last post column displays where sub-categories are involved, or where sub-sub-categories are involved and further down the category structure tree. There's a security weakness, yes. There's not a major compromise in security, however, if you apply the simple remedy to the problem that we've already discussed that earlier in this topic. The application of the remedy does, I admit, compromise a bit of screen real-estate.

I think that 31 categories for administration (!) is a little unusual but, it may interest you to know, the forum here at this site has over 180 categories in total and there's a wide mixture of accessibility to all of those. I think it's fair to say that the objective is attainable and that the cost of achieving the objective is a very low one within the current constraints.

We agree that this is an area where the project team needs to take some interest. The matter will not be resolved (with a technically ideal solution) before the release of K 2.0 in a couple of months' time.

Yes, I know we've remedied it, but it's still a potential flaw that should be fixed in a future release. I would still like to move my sub-categories back under a main category, to conserve screen usage.

Saying "The door is stuck, use another one" is not an excuse to avoid un-sticking the stuck door.

I attempted to install Community Builder 1.8 and GroupJive on my site, and integrate it with Kunena 1.7.2 - this problem is preventing CB and GJ from working as intended.

Because GroupJive automatically creates new Kunea Categories (for new Groups) as Sub-Categories under a parent Category, this problem comes back up. If I create a private, invite-only Group using CB and GJ, everyone (including people not in the group) can see the last post made, EVEN IF IT WAS IN A PRIVATE GROUP.

Community Builder & GroupJive do not allow me to change how the groups are nested - new groups are always created under their parent Category.

The simplest solution for this problem is for Kunena to fix the flaw that allows people to see posts that are in Categories they do not have access to. Simply put, this is not a case of "you're doing it wrong," this is a bug in Kunena that allows users to see posts they should not be able to see.

I realize 2.0 is on the way - will this be fixed in 2.0? Can this be addressed in an update for 1.7.2? This is a fairly serious security issue in that it allows people to see posts they should not have access to.

Will this be fixed in K 2.0? That's a difficult question to answer. At this time we do not have a public beta version available for release. It is my understanding that Joomlapolis is interested in working to integrate Community Builder with K 2.0 but they are not able to work on K 2.0 until a public beta version is available. So, at this time, we're in a bit of a catch-22 scenario (no beta version and no CB integration with K 2.0 at all).

This discussion has been quite far-ranging and, as I review what has been written before, we've covered many different subjects: Joomla ACLs, Community Builder, GroupJive among others.

There is a lot of work that needs to be done to test the correct operation of Kunena in tightly regulated environments like yours. We recognise that K 1.7.2 may not fully "fit the bill" in every case but the project team is working hard to build K 2.0.0 beta; that's our first objective. I, personally, have two major problems:

(1) Finding any time, at all, to test K 2.0 while I spent 4-8 hours per day attending to issues raised on the forum about K 1.7. I'm not complaining; I enjoy the task but it leaves me little time for much else.

(2) Ensuring that the testing team has conducted a comprehensive range of tests so that, when K 2.0.0 beta is released, people will not rush on to the forum to complain about a range of errors that would take an army of volunteers from now until Christmas to answer.

This means that we need to remain clearly focused on the task at hand. We ask for everyone's patience and co-operation, please, no matter how urgently or seriously people may view their specific needs. If matters are genuinely urgent then arrangements can be always be made on a fee-for-service basis.

I am very concerned because this is a major security flaw that impacts more than just me - ANYONE that uses a child board with any form of permissions is going to have this issue.

If it will help, I've created a sample setup using nothing but base installs of Joomla 2.5 and Kunena 1.7, that demonstrates the issue. If you go here:

www.psi-13.com/test/index.php/forum/index

You will see a Category called "Public Category." Under it is Sub-Category that is restricted to Super-Admins only. A single post is in the Sub-Category, that only Super-Admins should be able to see. Yet... anyone, including people who are not logged in, can see the title of the post.

Compare it to:

www.psi-13.com/test/index.php/forum/recent

The problem should not be that difficult to address - the solution is already implemented in other parts of Kunena 1.7.2. If I look at the Recent Topics listing, I cannot see the posts. The same basic filtering should apply to the Forum Index as it applies to the Recent Topics listing.

Someone pointed me to this topic: Yes, this has already been fixed in K2.0. Parent categories will only display last topic that is visible to the user.