normal user search returns posts from moderators' board

Gika · May 21, 2006, 01:49:44 PM

I've posted a topic with an unique word in a moderator-reserved board.
then I logged off and tried to search for that word -- surprise, it returned that topic. seems like the search function searches ALL boards, not caring of the permissions. (before asking, yes, I checked the permissions).

I'm using SMF 1.1 RC2, modded but with no edits to Search.php.

Leipe Po · May 21, 2006, 02:58:58 PM

but if you click it does it allows you in your board?

Gika · May 21, 2006, 03:23:11 PM

no. but one can still see part of the post in the search results.

Gika · June 03, 2006, 12:19:29 PM

well, any solution for this? it's becoming a serious problem in my forum...

^DooM^ · June 03, 2006, 06:58:27 PM

I have tested this extensively and found no such issue on my forum running 1.1RC2. A mod you have installed must be allowing this to happen.

I would check the mods you have installed especially ones that deal with permissions.

Gika · June 04, 2006, 03:25:05 PM

the only mod I have installed is Karma on Memberlist, which deals only with Memberlist.php, and the SMF 1.0.7 / 1.1 RC2 Update. I don't know, I don't remember manually editing files that may have caused this...

^DooM^ · June 04, 2006, 03:36:06 PM

Maybe it is an issue with the update from 1.0.7 My install was a fresh 1.1RC2.

Sorry I cannot be of any more help. I hope you get your issue sorted soon.

The Wicked Flea · June 05, 2006, 06:02:48 PM

No, my fresh install of SMF 1.1RC2 does this as well. And the snippets of the posts can be revealing if you host projects or have staff meetings on potentially sensitive issues.

That's not a good thing, and I think it's a bug.

The Wicked Flea · June 05, 2006, 06:07:57 PM

Quick note, I just did a test and it doesn't happen anymore. It seems that I was shown as logged out when I wasn't, and so the search returned full results. It no longer does so.

This problem didn't exist when I turned the search index off and on, tested both ways.

Gika · June 13, 2006, 03:58:55 PM

Quote from: ^DooM^ on June 04, 2006, 03:36:06 PM
Maybe it is an issue with the update from 1.0.7 My install was a fresh 1.1RC2.

Sorry I cannot be of any more help. I hope you get your issue sorted soon.

I meant the recent security update, which under Packages is listed as "SMF 1.0.5 / 1.1 RC2 update".
anyway I tried it many times and it shows those results even when I'm not logged on. even turning the search index on gives that problem. I don't know... I have made some minor edits to the sources, but as far as I can remember not to Search.php. I'll try to restore the original source files...

thank you for your help anyway.

finnhack · July 31, 2006, 05:44:23 PM

I run into the same problem too! I got about 5 hidden boards and if a user search with "Show results as messages" enabled he can see posts from the hidden boards. I'm using Smf 1.1 RC 2-1 and I wonder if there was something in the patch "SMF 1.0.7 / 1.1 RC2 Update" that made this happen (it modified search.php and QueryString.php)

I will look at and compare the sourcefiles here some day in near future, I just thougt it is quite strange if we are only 2 who has this problem. I'll get back if I find something interesting.

EDIT: Tested it out a little bit and found some interesting things. In fact the posts returned from the hidden boards did not contain the actual search word (for example if I searched for the word 'good' the message I found on the board that I should not have been able to see, did not contain the word good). Also noticed that the timelimit (days ago) did not affect these 'hits'. So it's like the search would return random posts from boards that I should not be able to view.

finnhack · August 01, 2006, 05:54:03 AM

OK, I get on talking to myself

After some hours of testing i found out that it is always the same messages that leaks from the hidden boards. It happens if the search word is a common word and the result returns more than 10 pages (over 300 answers), I'm haven't tested yet exactly what the magic limit is but it always happens if there are more than 300 "hits". The messages returned from hidden boards do not have to contain the search word itself.

I'll now try to get around this by setting the max result to someting other than 0.

finnhack · August 01, 2006, 12:01:37 PM

Maybe someone who knows how the search is constructed could tell something from this test:

Searching for a certain word returns with different daysettings:

Between 0 and 3 days = returns 2 messages/hits (which are ok)
Between 0 and 4 days = returns 171 messages/hits (of which 2 contains the word searched)
Between 0 and 1 days = returns 0 messages
Between 1 and 4 days = returns 2 messages/hits (which are ok)

This works for all searched words, but the "Between xx and xx days" is different for every word. Starting to think of corrupted database or something like that. Will also try to connected the database to a Smf with fresh sourcefiles later.

(sorry for posting replyes to myself, but this problem gives me no peace in mind)

edit: so, now I have kind of sorted out how this works! Unfortunately I still don't know what causes it. Tryed running my board with fresh Smf sourcefiles but the problem still exists. So it has to be something in the database or in the settings. But the conclusion I made so far:
1. I posted a topic with completely constructed (imaginary) words, for example a topic named Bliblo with message body Blobli.
2. When I searched for Blobli (as in message body) the search was ok, it returned only one message.
3. When I searched for Bliblo (as in topic subject) it returned 327 messages (1 containing the searched word Bliblo plus 326 messages not containing the word searched)
4. Thanks to this I noticed that if I search for a word or a phrase that also exists in a topic subject the search returns messages not containing the searched word from public and non public boards. It is always the same "not wanted" messages that appears.

I have tried this randomly on other Smf boards on Internet running Smf 1.1 RC2 and they does not seeme to have the same problem. So I guess I'm on my own with this.

finnhack · August 02, 2006, 04:47:52 AM

Okay, I dumped all log_search-tables and now the original problem is gone

Now the search only returns messages actually containing the searched word. Which is really nice. It would also be really nice to understand how these log_search_* tables are used, because due to my problems I strongly believe that there are situations when non public boards can leak through the search function.

After truncating the log_search-tables the search does not find any word that only appears in the subject if the message was posted before I truncated the tables. Does Smf build log_search_subjects when posting a new message? Wonder from which version of Smf this table is used and how the old messagesubjects were added to the table. Just guess that there can have been some problems with some of the many upgrades throughout the years, I started with YabbSE 2001 and have only made upgrades since then, never done a clean install after the firts one.

Hopefully some of my monologue can be usefull if anybode else runs into this uncommon problem

finnhack · September 04, 2006, 04:40:42 PM

Sad to say it, but the same problem came back

Guess it would help dumping the log_search-tables once again, but as it seem to happen again this will only solve the problem for the moment.

JayBachatero · September 04, 2006, 11:56:27 PM

Did you upgrade to RC3? The search was improved in RC3.

finnhack · September 13, 2006, 05:00:26 PM

Quote from: Jay The Code Monkey on September 04, 2006, 11:56:27 PM
Did you upgrade to RC3? The search was improved in RC3.

No, I have to admit that I'm still running RC2, so I guess there is a chance upgrading will fix it. I'll promise not to "complain" more before upgrading

News:

normal user search returns posts from moderators' board