Fork me on GitHub
Subscribe 2

Ticket #1133 (worksforme bug)

Everyone can remove posts

  • Created: 2019-07-23 17:03:43
  • Reported by: Michał Giza
  • Assigned to: None
  • Milestone: None
  • Component: security
  • Priority: highest

I saw every user (even guest) can remove posts. This is not normal...

History

Michał Giza 2019-07-28 15:40:44

  • Visibility set to public.

Franz 2019-08-02 20:19:22

Can you explain how to reproduce this behavior? We haven't had a report like this before...

Michał Giza 2019-08-03 03:12:16

I am not logged. I can edit and delete posts

Franz 2019-08-03 10:54:10

  • Visibility set to private.

Can you provide a link to your forum? I certainly cannot reproduce this on our forums.

Michał Giza 2019-08-03 19:50:24

I don't know why but I can't upload photo here. So I uploaded PoC.png on Firefox Send:

hxxps://send.firefox.com/download/3110762646ccca8f/#_2HFZBlA2VNpiCtEJyh-BA

Comment edited 1 times (Diff)

Franz 2019-08-03 21:04:41

Well, it's not possible on a fresh FluxBB install. Have you changed group permissions, user group assignments, or installed any modifications?

Michał Giza 2019-08-04 02:41:16

I don't change anything

Franz 2019-08-07 20:33:23

  • Visibility set to public.
  • Status changed from open to worksforme.

I am sorry, but without more information I cannot help you.

I cannot reproduce this problem on a fresh local install, and also not on FluxBB.org.