Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: pepf on February 21, 2020, 06:56:56 PM

Title: Security problem?
Post by: pepf on February 21, 2020, 06:56:56 PM
Just looked at the forum for the first time in the morning, and the Users Online showed a Guest viewing the profile of a registered member.

How can that be? Guests can only view posts. They should be able to do nothing else in the whole forum, not even viewing profiles. Why is that?

Checking the IP it seemed to be from a Huawei cloud.
Title: Re: Security problem?
Post by: a10 on February 21, 2020, 07:29:53 PM
1st, take a look in Admin > Reports > Group Permissions, see if all settings are as expected.
Needs Report Generation (in core features) enabled.
Title: Re: Security problem?
Post by: Illori on February 21, 2020, 08:05:28 PM
anyone can attempt to do something, to someone that can view that action whos online will show what the action is. the user that is attempting the action will just get a denied error.
Title: Re: Security problem?
Post by: pepf on February 21, 2020, 10:41:05 PM
a10, thanks for this. I didn't know such a convenient table existed. I always thought the 'Reports' tab is for emailing reports which I want to avoid.
Anyway, the only thing that guests are allowed to is to "view events", and I don't really know what 'events' means here. Will look through SMF information to find out.

Thank Illori, that allays my concerns. I just wish there would be a pop-up in Who's Online notifying us that "Viewing" does not necessarily mean the action was successful.
Title: Re: Security problem?
Post by: m4z on February 22, 2020, 04:02:13 AM
Anyway, the only thing that guests are allowed to is to "view events", and I don't really know what 'events' means here. Will look through SMF information to find out.

That probably refers to calendar events.
Title: Re: Security problem?
Post by: pepf on February 22, 2020, 07:24:40 AM
Thank you all.