’Move posts’ security bug

I've searched for this and can't find reference for any wwf version. I tested and verified it in WWF 7.9.

Our forum has a number of private areas for different teams. Each team area has a moderator, obviously; also each area is set to be invisible to users without access rights (although topic titles still appear under active topics).

One team moderator has noticed that he can "move" posts.

He also noticed that when doing so, ALL forums are listed including all the hidden forums which normally he can't see.

He can then successfully move a topic into another team's forum.

At that point he cannot see the topic any longer, as it's in a forum he doesn't have permission to see or enter.

This has two implications:

Firstly, it is possible (as his proof of concept did) to insert messages into someone else's private forum.

Secondly, it is possible that one could accidentally move an entire (confidential) topic into a rival team's forum, after which one cannot read it or remove it while the rival team can.

-boRg- wrote: The moving of posts by moderators between forums allows moderators to move posts to forums they are not moderators in

That's fine - but moving a post to a forum for which a person isn't a moderator is not the problem (I can see why that could be useful), it's that a moderator can move a post into a forum that normally he cannot see or access.

I accept it would reduce performance (slightly), but if, for example, the drop-down list of destinations to move a post to was filtered as the forum default page is, to only display the forums to which the moderator has (at least read) access, that would do.

Certainly in our case, it's highly unlikely that anyone will have access to two areas *and* that the moderator of one will be completely excluded from the other.

Maybe other users will have different opinions.