Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - access to hidden topics (Minor Detail :-)
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

access to hidden topics (Minor Detail :-)
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
hans3702 View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 23 March 2003
Location: Netherlands
Status: Offline
Points: 141 		Post Options Post Options   Thanks (0) Thanks(0)   Quote hans3702 Quote  Post ReplyReply Direct Link To This Post Topic: access to hidden topics (Minor Detail :-)
    Posted: 23 March 2003 at 11:16am

Hi,

I run the version 7 forum because of te many ways of givving right to users, gooubs and forums. But in B3 and B4 Everyone can access all the topics by rightcliking te printeble version and cut and paste the link.

like this: http://forums.webwiz.net/printer_friendly_posts.asp?FID=1&TID=1

Just put a number in TID=1 of 2 or 190
and without logining in you can read every topic even the privite group only accessebles

I think some extra testing for permisions in the printer_friendly_post.asp or even a check for the corect page calling this page wil do.

JHH

 

changed B7 -> B4 (typo)



Edited by hans3702
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 24 March 2003 at 3:22am

I will look into this.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
eaglesexec View Drop Down
Groupie
Groupie
Avatar

Joined: 02 December 2002
Status: Offline
Points: 127 		Post Options Post Options   Thanks (0) Thanks(0)   Quote eaglesexec Quote  Post ReplyReply Direct Link To This Post Posted: 24 March 2003 at 10:49am
yikes. i tried it and it works. a security hole. i was logged out, cleared my cookies and i could view the printable versions of topics in private forums.
A good plan, violently executed now, is better than a perfect plan next week. -General George S. Patton.
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 24 March 2003 at 10:52am

Replace the ASP code in the printer_friendly_posts.asp from underneth the functions with the following:-

'Dimension variables
Dim rsForumPerm   'Holds the forum permisisons to be checked
Dim strForumName  'Holds the forum name
Dim strForumDescription  'Holds the description of the forum
Dim lngTopicID   'Holds the topic number
Dim strSubject   'Holds the topic subject
Dim strUsername   'Holds the Username of the thread
Dim dtmTopicDate  'Holds the date the thread was made
Dim strMessage   'Holds the message body of the thread
Dim intForumID   'Holds the ID number of the forum


'Initialise variables
lngTopicID = 0 


'Read in the Forum ID to display the Topics for
lngTopicID = CLng(Request.QueryString("TID"))


'If there no Topic ID then redirect the user to the main forum page
If lngTopicID = 0 Then

 'Clean up
 Set rsCommon = Nothing
 adoCon.Close
 Set adoCon = Nothing

 'Redirect
 Response.Redirect "default.asp"
End If


'Get the posts from the database

'Initalise the strSQL variable with an SQL statement to query the database get the thread details
strSQL = "SELECT " & strDbTable & "Forum.Forum_ID, " & strDbTable & "Thread.Message, " & strDbTable & "Thread.Message_date, " & strDbTable & "Thread.Show_signature, " & strDbTable & "Forum.Forum_name, " & strDbTable & "Forum.Forum_description, " & strDbTable & "Author.Username, " & strDbTable & "Author.Signature, " & strDbTable & "Topic.Subject "
strSQL = strSQL & "FROM (" & strDbTable & "Forum INNER JOIN " & strDbTable & "Topic ON " & strDbTable & "Forum.Forum_ID = " & strDbTable & "Topic.Forum_ID) INNER JOIN (" & strDbTable & "Author INNER JOIN " & strDbTable & "Thread ON " & strDbTable & "Author.Author_ID = " & strDbTable & "Thread.Author_ID) ON " & strDbTable & "Topic.Topic_ID = " & strDbTable & "Thread.Topic_ID "
strSQL = strSQL & "WHERE (((" & strDbTable & "Thread.Topic_ID)=" & lngTopicID & ")) "
strSQL = strSQL & "ORDER by " & strDbTable & "Thread.Message_Date ASC;"

'Query the database
rsCommon.Open strSQL, adoCon

'If there is no topic in the database then display the appropraite mesasage
If rsCommon.EOF Then
 'If there are no thread's to display then display the appropriate error message
 strSubject = strNoThreads

Else
 'Read in the thread subject
 strSubject = rsCommon("Subject")
 
 'Read in the forum ID to check if the user can view the post
 intForumID = rsCommon("Forum_ID")
End If

 

 

'Create a recordset to check if the user is allowe to view posts in this forum
Set rsForumPerm = Server.CreateObject("ADODB.Recordset")

'Read in the forum name and forum permssions from the database
'Initalise the strSQL variable with an SQL statement to query the database
If strDatabaseType = "SQLServer" Then
 strSQL = "EXECUTE " & strDbProc & "ForumsAllWhereForumIs @intForumID = " & intForumID
Else
 strSQL = "SELECT " & strDbTable & "Forum.* FROM " & strDbTable & "Forum WHERE " & strDbTable & "Forum.Forum_ID = " & intForumID & ";"
End If

'Query the database
rsForumPerm.Open strSQL, adoCon


'If there is a record returned by the recordset then check to see if you need a password to enter it
If NOT rsForumPerm.EOF Then

 'Check the user is welcome in this forum
 Call forumPermisisons(intForumID, intGroupID, CInt(rsForumPerm("Read")), CInt(rsForumPerm("Post")), CInt(rsForumPerm("Reply_posts")), CInt(rsForumPerm("Edit_posts")), CInt(rsForumPerm("Delete_posts")), 0, CInt(rsForumPerm("Poll_create")), CInt(rsForumPerm("Vote")), CInt(rsForumPerm("Attachments")), CInt(rsForumPerm("Image_upload")))

 'If the user has no read writes then kick them
 If blnRead = False Then

  'Reset Server Objects
  rsForumPerm.Close
  Set rsForumPerm = Nothing
  Set rsCommon = Nothing
  adoCon.Close
  Set adoCon = Nothing


  'Redirect to a page asking for the user to enter the forum password
  Response.Redirect "insufficient_permission.asp"
 End If

 'If the forum requires a password and a logged in forum code is not found on the users machine then send them to a login page
 If rsForumPerm("Password") <> "" AND Request.Cookies("PrForum")("Forum" & intForumID) <> rsForumPerm("Forum_code") Then

  'Reset Server Objects
  rsForumPerm.Close
  Set rsForumPerm = Nothing
  Set rsCommon = Nothing
  adoCon.Close
  Set adoCon = Nothing

  'Redirect to a page asking for the user to enter the forum password
  Response.Redirect "forum_password_form.asp?RP=PT&FID=" & intForumID & "&TID=" & lngTopicID
 End If
End If
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
hans3702 View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 23 March 2003
Location: Netherlands
Status: Offline
Points: 141 		Post Options Post Options   Thanks (0) Thanks(0)   Quote hans3702 Quote  Post ReplyReply Direct Link To This Post Posted: 26 March 2003 at 7:28am

Just wondering why the access rights check isn't an "include"

Oh, BoRg, I  just want to say:  Keep on going. But I wil stay at version 7B3, the new option make it more a real forum, and with the old one you got a great base for more uses than just a plain forum.  see also my posting at http://forums.webwiz.net/forum_posts.asp?TID=1353&PN=1 

JHH

 

 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.