I'm referring to:
It's a bug present in 2.0 as well, so quite a long story, nothing new.
Basically: any reply to a moderated topic, posted by someone with permission to approve posts is visible in action=recent and in the search by everybody.
Since it has been disclosed already it's pointless to keep it hidden.
Steps to reproduce:
- have post moderation active,
- create a new topic with a user that is post-moderated (the topic will be unapproved),
- login with an account that has permission to post without moderation (e.g. admin),
- reply to the topic,
- go to action=recent and see the message posted by the admin.
Workaround: if you have post-moderation active, instruct your moderators to use the "unapprove" button on each reply done to a moderated topic.
This way all the posts will be unapproved and visible only to the people that have permissions to view unapproved posts.To verify
the checkbox "Approve this post" doesn't seem to be honored if not checked (i.e. if you want to post the message directly in unapproved status you cannot).
Considering this bug, I would squeeze the scope of 1.1.6 to anything that is already there, this one and another security issue reported a while ago that (not terribly important) and anything that can be fixed by... Sunday night I'd say.
That way it should be possible to have a release out by the end of next week.@ahrasis
while reviewing the bugs, did you see anything that could be considered mandatory to have in 1.1.6? (i.e. things that are causing either data loss or big problems)
I don't see any from my side so far, though those who've seen one should highlight theirs, if any.
I've been a bit too optimistic... :-\
Oh well, the security fixes are ready here locally.
I've cleaned up the list for 1.1.6, something more can be removed depending on what can be fixed.@Spuds
what do you think, all the remaining should be fixed or we can release what we have and leave the rest for later?
The culled list seems reasonable to address, a couple of the unconfirmed ones will likely get moved to 1.1.7 unless some new information shows up. We can see what else we can fix this week, defer the rest and try for a release next weekend?