View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005446 | Composr | core_cns | public | 2023-11-15 07:24 | 2023-11-18 01:49 |
| Reporter | Patrick Schmalstig | Assigned To | Patrick Schmalstig | ||
| Severity | Major-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.43 | ||||
| Fixed in Version | 10.0.44 | ||||
| Summary | 0005446: Private topics get leaked when set to receive notifications for all forum topic activity | ||||
| Description | Private topics will get leaked to members who have their notifications set to receive notifications for all forum topic activity. This includes the title and URL of the PT. It also includes system messages, such as when someone is invited to the topic. It does not include the first post in the PT. I am not sure yet if it includes any further posts by members. This is a high priority bug as it is a privacy risk. | ||||
| Tags | Type: Legal compliance / Privacy | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
I have not yet confirmed if the bug also exists in v11. |
|
|
Automated response: Leaked PTs to members monitoring all topic activity Private topics will get leaked to members who have their notifications set to receive notifications for all forum topic activity. This happens when someone is invited to the private topic. The system message triggers a standard non-PT topic notification to members who had enabled notifications for all topic activity. This is because the function for determining whether a topic is private would not work it out (set it straight to false) if the post (in this case the system message saying someone was invited to the PT) was not the topic starter. This fix explicitly defines the system message being posted as being posted in a private topic so that only members involved in the PT get the notification. An additional check was added to ensure dispatch_notification never passes in "null" to topic notifications for to_member_ids (which would then cause everyone to receive the notification) when sending a notification for a private topic. Instead, it will be an empty array if anything other than an array of members. |
|
|
Fixed in git commit 9302069df0 (https://gitlab.com/composr-foundation/composr/commit/9302069df0 - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). hotfix-5446, 2023-11-18 1am.tar (79,872 bytes) |
|
|
Bug also existed in, and was fixed in, v11 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-11-15 07:24 | Patrick Schmalstig | New Issue | |
| 2023-11-15 07:24 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2023-11-15 07:24 | Patrick Schmalstig | Assigned To | => Patrick Schmalstig |
| 2023-11-15 07:24 | Patrick Schmalstig | Tag Attached: Type: Legal compliance / Privacy | |
| 2023-11-15 07:25 | Patrick Schmalstig | Note Added: 0008046 | |
| 2023-11-18 01:49 | Patrick Schmalstig | Note Added: 0008050 |
