Skip to main content
Topic: Entire Forum Search and Permissions (Read 927 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Entire Forum Search and Permissions

Hello All.

I ran across something with search and I am curious if this is normal behavior. It actually kind of surprised me. I had a look in the wiki and other places for more information and did not find info to my question.

I am building up a forum with say 10 categories all with various  number or boards in them. 
The members of each Category do not have access to the other categories
Each member is in its own member group and the Member group is given permission to the category and boards in that category.

So, all this works fine when I check users across categories (as in the members can only see their boards etc), but, what surprised me is that a member can do a search entire forum and see results from the other categories they do not have access to. Of course, if they click on it, they are denied access, but, I would not want anyone to be able to see the text or topics of the other categories or boards they are not members of.

Have I set up something wrong here? Or missed a setting?

Version Information:
This version: ElkArte 1.1.1
Current version: 1.1.1
Running on an ubuntu 16.04 server with php7 and mariadb 10.1

Please let me know if you need more info or if I am not clear on something.

Thank you

Re: Entire Forum Search and Permissions

Reply #1
Hi pi.tech and welcome to elk.net. :)

hmm... I just did a search here on this forum and (with this setup of permission and configurations) it seems to work: I searched a sentence present in a post in a board accessible only to a certain member group and searched with a user that doesn't belong to any particular group and in the results there is nothing from the hidden board. I also did the second check and searched the same sentence with a user that can access the board and the result is there.

That said, of course, let's not exclude immediately the bug, but let's first revise your configuration so that I can replicate the conditions locally.

Please do not change these settings now unless you really are in a hurry, I would like to understand where the issue is in order not both give you a properly configured forum and be sure not to have to deal with a bug. :)

So:
1) do you have enabled deny permissions? (admin > members > member groups > settings)
2) do you have enabled permissions for post-based groups? (admin > members > member groups > settings)
3) do you have enabled the option to deny access to boards? (admin > forum > boards > settings)
4) what kind of search index have you set up, if any? (admin > forum > search > search method)
When you answer these questions I may have more to ask.
Bugs creator.
Features destroyer.
Template killer.

Re: Entire Forum Search and Permissions

Reply #2
I can't reproduce it on 1.0.x, but I can reproduce it on my test forum based on 1.1.2 with a guest member and topics inserted into our STAFF board, only for admins and moderators.  :o  Can't reproduce it on elkarte.net.

On my 1.1.2 forum:

1) do you have enabled deny permissions? (admin > members > member groups > settings)
No, it's disabled (the correct path is Members > Permissions > Settings)
2) do you have enabled permissions for post-based groups? (admin > members > member groups > settings)
Yes, it's enabled (the correct path is Members > Permissions > Settings)
3) do you have enabled the option to deny access to boards? (admin > forum > boards > settings)
Disabled
4) what kind of search index have you set up, if any? (admin > forum > search > search method)
No index
When you answer these questions I may have more to ask.
Let me know, since it's a test board I can give you full access to do all the tests you want.

== edit ==
and the search results are not working fine, I searched for a word wich probably exists 3-4 times in a couple of topics, and in the search results I get 40 pages of results.
sorry for my bad english

Re: Entire Forum Search and Permissions

Reply #3
Thank you so much for the welcome and quick reply.

I would like to echo radu81
Quote
I can't reproduce it on 1.0.x,

I am relatively new to elkarte and started with v1.0.x late last year and recently moved to the 1.1 series when it was released. I do not recall this behavior but i have no real way to test now.

Quote
Please do not change these settings now unless you really are in a hurry, I would like to understand where the issue is in order not both give you a properly configured forum and be sure not to have to deal with a bug. :)

Very good. When I saw the problem I immediately disabled search for everyone. I will be able to answer your questions as soon as i get back to my main workstation, within about 30 mins or so.

Thank you again!

Re: Entire Forum Search and Permissions

Reply #4
I am relatively new to elkarte and started with v1.0.x late last year and recently moved to the 1.1 series when it was released. I do not recall this behavior but i have no real way to test now.
I guess it affects only 1.1.x version, not 1.0.x, otherwise should be already reported in all these years.

p.s. welcome to elkarte ;)
sorry for my bad english

Re: Entire Forum Search and Permissions

Reply #5
== edit ==
and the search results are not working fine, I searched for a word wich probably exists 3-4 times in a couple of topics, and in the search results I get 40 pages of results.

Thank you radu, much appreciated. Yes,  I noticed that i had a lot of results also.

Quote
1) do you have enabled deny permissions? (admin > members > member groups > settings)
2) do you have enabled permissions for post-based groups? (admin > members > member groups > settings)

Both No, see attached as well.

Quote
3) do you have enabled the option to deny access to boards? (admin > forum > boards > settings)
***edit this should have been separate.
No, all unchecked as per attachment as well.

Quote
4) what kind of search index have you set up, if any? (admin > forum > search > search method)

No, and I did not set up any index, just default install. see attached as well.

Quote
When you answer these questions I may have more to ask.

No problem, I am available whenever you have more.

Thank you (both) again.

Re: Entire Forum Search and Permissions

Reply #6
Okay, I can confirm the bug.
It can be classified as security issue, but since it's already in the public there is not many reasons to hide it.
I'm working on finding the root cause.
I'll try to prepare a fix and push it in the release of tomorrow evening.
Bugs creator.
Features destroyer.
Template killer.

Re: Entire Forum Search and Permissions

Reply #7
As a stop-gap measure I would suggest to go to admin > forum > search > search methods and to select "Fulltext index" or (if you cannot select the first because not supported by your configuration) to create a custom index and then use "custom index". This second option will consume more database space.
Bugs creator.
Features destroyer.
Template killer.

Re: Entire Forum Search and Permissions

Reply #8
Okay, I can confirm the bug.
It can be classified as security issue, but since it's already in the public there is not many reasons to hide it.
I'm working on finding the root cause.
I'll try to prepare a fix and push it in the release of tomorrow evening.

I appreciate you getting on that so quickly. Not that something like this would come up again, but, should I have handled it differently (***edit as in making the post in the support forum)?

Also, I was looking for how to donate or do something for the project but have not seen any links on the front page, is there anything?

 

Re: Entire Forum Search and Permissions

Reply #9
I think I have nailed it down.
Could you please try this and see if it fixes the issue?
Locate the file: sources/subs/Search.php
then find:
Code: [Select]
if (is_callable(array($this->_searchAPI, 'prepareWord')))
and change it with:
Code: [Select]
if (is_callable(array($this->_searchAPI, 'indexedWordQuery')))

I did some tests and to me works.
Take in consideration that searches are a bit of a pain because caches are kept in order to reduce the load as much as possible, the idea solution is to use a clean session id, for example using an incognito/private window of your browser and close it between each test.
Bugs creator.
Features destroyer.
Template killer.

Re: Entire Forum Search and Permissions

Reply #10
I appreciate you getting on that so quickly. Not that something like this would come up again, but, should I have handled it differently (***edit as in making the post in the support forum)?
But it is likely to come up every once in a while.
We have to set up a proper contact form for this kind of situation, really it's something long overdue...
At the moment the best shot is PM one or all between: me, Spuds or TE.

Also, I was looking for how to donate or do something for the project but have not seen any links on the front page, is there anything?
Nope, never set up anything.
But for the moment there is not much costs involved (I guess, I wasn't able myself to convince who is offering the server to accept at something). :)
Bugs creator.
Features destroyer.
Template killer.

Re: Entire Forum Search and Permissions

Reply #11

Locate the file: sources/subs/Search.php
then find:
Code: [Select]
if (is_callable(array($this->_searchAPI, 'prepareWord')))
and change it with:
Code: [Select]
if (is_callable(array($this->_searchAPI, 'indexedWordQuery')))

I did some tests and to me works.

Ok, I changed the string here

Quote
/sources/subs/Search/Search.php

// We building an index?
                if (is_callable(array($this->_searchAPI, 'prepareWord')))

With

Quote
// We building an index?
                if (is_callable(array($this->_searchAPI, 'indexedWordQuery')))

and tested. Yes! that seems to work correctly. I am now getting only results of the users Category.

Re: Entire Forum Search and Permissions

Reply #12
Great and thanks for confirming!
Search is always a p.i.t.a. xD
Bugs creator.
Features destroyer.
Template killer.

Re: Entire Forum Search and Permissions

Reply #13
Thank you for looking into it so quickly.

I am testing the different search options as well as some of the Search Method options. All seems to be working ok so far.

I may enable the Fulltext index and other options on my test server tomorrow just to see how it goes.

Appreciate it and will message back if i run into anything as I test things out.

Thanks again for all the work you guys do here.
All the best!