News:

Want to get involved in developing SMF? Why not lend a hand on our GitHub!

Main Menu

Guest is viewing PMs if ./?action=pm is loaded by them

Started by lucb1e, January 07, 2013, 09:15:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

lucb1e

January 07, 2013, 09:15:36 AM
A friend of mine closed a forum, but looking in the Who's Online section (as admin) it appeared as if a guest was reading their PMs. I tried to reproduce it on a SMF 1.1.x forum that I knew, but it didn't work. Trying on the friend's forum, running SMF 2.0.2, as soon as I loaded smf/index.php?action=pm, I showed up as reading PMs. The forum is in maintenance mode, so that was kind of confusing.

Not an important bug, but perhaps something to patch in a future release.

Thanks,
Luc

Arantor

#1
January 07, 2013, 09:18:30 AM
What's to patch, exactly? It's working exactly as designed.

The session is recording the fact that a user is visiting action=pm. Who's Online looks up the action that a user is performing and displays the action attached to that URL - it doesn't go through and verify whether the user has permission to be able to do that, because that would potentially mean dozens of database queries to figure it out.
Holder of controversial views, all of which my own.

lucb1e

#2
January 07, 2013, 09:39:56 AM
It has to figure out whether the user is allowed to view the page anyway, so that doesn't impact anything. What's to patch is that it's confusing to see that a guest, a non-user, is viewing their PMs. My first idea was this bug, but the only other option would be a leak in the software that allowed guests to view other people's PMs. Or their own, which should also not be allowed during maintenance mode. Changing this behavior might just save some people a headache ;)

emanuele

#3
January 07, 2013, 09:52:54 AM
I would simply remove the "Who is online" page.
That would save much more headaches. :P


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

NanoSector

#4
January 07, 2013, 09:59:52 AM Last Edit: January 07, 2013, 11:13:49 AM by Yoshi2889
Quote from: emanuele on January 07, 2013, 09:52:54 AM
I would simply remove the "Who is online" page.
That would save much more headaches. :P
Got to agree with this, really. The page has caused way too much confusion.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Arantor

#5
January 07, 2013, 11:06:42 AM
QuoteWhat's to patch is that it's confusing to see that a guest, a non-user, is viewing their PMs.

If only it were actually a bug, but like I said, it's not. It is truly by design. The page doesn't go and validate that the person viewing the page actually has the permission to view that page - all that's recorded is that the user did in fact visit that page.

There's no bug, only a misunderstanding.
Holder of controversial views, all of which my own.

Print
Go Up Pages1
User actions
Advertisement: