Fork me on GitHub
Subscribe 2

Ticket #280 (fixed bug)

Moderators can move/split posts to any board

  • Created: 2011-02-07 18:11:35
  • Reported by: Reines
  • Assigned to: Reines
  • Milestone: 1.4.5
  • Component: security
  • Priority: high

After posting the board ID to move/split topics to it is accepted without any confirmation that the current user is actually allowed to read that forum.

At the very least we should confirm the moderator has read permission for the board before the topic is actually moved/split.

A further enhancement that I would think makes sense is further restricting the boards moderators are allowed to move/split posts in to, to boards that moderators are allowed to post in.

History

Franz 2011-02-07 18:17:22

Uh, good catch. In fact, they shouldn't even be allowed to know they exist, right?

Reines 2011-02-07 18:24:18

Well they aren't shown in the drop-down list of boards to choose from, so the moderator would need to first know/guest the correct board ID.

Though at the moment the ability to move topics into boards you don't have write access to is a bit more of an issue probably, since it means moderators can effectively post in any board they want, regardless of their write permissions.

Reines 2011-02-07 21:42:17

  • Owner set to Reines.
  • Visibility set to public.
  • Status changed from open to fixed.