Search is too good!
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=10202
Printed Date: 15 April 2026 at 11:00pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Search is too good!
Posted By: fbridge2
Subject: Search is too good!
Date Posted: 28 April 2004 at 1:37pm
|
I have a very secure forum where all forums are Private Groups and each is user enabled on a member by member basis. (This is the only way I could overcome the deficiency where members cannot be in Multiple Groups ). However, when a user does a search they are given the SUBJECT list for ALL forums not just the ones they have access for. Subsequent clicks disallow them from viewing the whole post but still they have discovered areas to which they are not privy. Has anyone fixed this? Regards ------------- old dog eager to learn new tricks |
Replies:
Posted By: michael
Date Posted: 28 April 2004 at 2:10pm
|
This is by design to speed up searches afair. You could somewhat easily fix that yourself but may encounter performance issue. ------------- http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker |
Posted By: thekiwi
Date Posted: 28 April 2004 at 2:55pm
Yes ... but only for SQL Server ... and no it doesn't incur a performace hit. ------------- Cheers TheKiwi http://www.infobahn.co.nz - Internet Infobahn - website design and hosting |
fbridge2 wrote:Posted By: fbridge2
Date Posted: 28 April 2004 at 5:36pm
|
Many thanks. I will have a go and post the results back here (if successful!) Frank ------------- old dog eager to learn new tricks |
Posted By: fbridge2
Date Posted: 29 April 2004 at 9:30am
|
Piece of cake! Collect the forum ids to which the user has access on the search_form and store in an hidden input. Collect from the select named "FM" <input name="INPARAMS" type="hidden" value="(5,4,7,6)"> this is now passed to search.asp and can be inserted in the SQL statement as "WHERE Forum_ID IN " & Request.QueryString("INPARAMS") I suppose this could be considered insecure as the params are sent as POST info but for speed there is little or no overhead as suggested. These could be obfuscated if needs be. Regards ------------- old dog eager to learn new tricks |
Posted By: Munawar
Date Posted: 11 April 2005 at 9:03pm
|
Hi fbridge2,
I used your fix and it works. Thanks for the help.
To clean this code up, you could move the "Forum Access" check into search.asp, that way you dont have to use the hidden input. Anyway, it works, and I'm not too picky
 .Munawar |
Posted By: dj air
Date Posted: 12 April 2005 at 6:03am
|
also using that INPARAMS to fold the forums they can access is a security risk for what you want. because searchs use the get command the forums allows are shown within the querystring, so a user can change that to allow them viewablility to all forums. as suggested its best to do the check on the search page |
Posted By: aaronm32
Date Posted: 26 October 2005 at 5:11pm
| I'll take a slightly slower search over the security risk of allowing users to access parts of the forum they shouldn't be allowed to see any day. Thanks for the code Frank! |