profile information ignores forum visibility settings

[osusoy]

ok, it seems the member was confused but there is a privacy leak. I don't think this will be very straightforward but an unauthorised member can see titles of forum topics under a privileged member's profile. example case:

• we have a private forum for the highest rank category. only members of that category get read/write access, everyone else is oblivious to it's existence. it is a place where plans and strategies are formulated so no information from there should ever be visible to others.
• i go and get involved in a thread there, either create one or comment on an existing one
• a member without any permissions for the forum can still see the thread topic in my profile information under "Last Seen"

it might not seem too major but we allow members as ambassadors of hostile groups so it is critical that they have no idea what is being discussed in the groups they are not allowed in and a title can give a lot away.

[bluethrust]

Hmm, the only real way I see fixing this would be to universally censor the page name for posts in private forums, even for people who would have access to it. The last page seen essentially just saves a link in the database to where the person last was and uses the page title as the link text. It would require either building a whole system just for that tiny feature or simply censoring page names for private forums. If you have a better idea, let me know. I could make the "last seen" portion of the profile something that you can set as a rank privilege, that wouldn't be too difficult.

[bluethrust]

Actually thought of another way, saving last seen forum posts as some json with the forum id in the database then on the profile page doing something with it to check if it's json, see if they have access to the forum. That wouldn't be too hard.

[osusoy]

with this code, you will generally have the better idea. My idea would be to find funding and rewrite the whole thing into a full-blown modern day application that would eat the competition and take over the market for clan software ;) respect for what you have achieved with it though.

with where we are, the json idea sounds good, just need some location history before falling back to a default. it could just be a simple array of references of the same type as what you are already using and the profile page just walks through it till it finds something it can show the current user. if the current user doesn't have access to any of the last seen references (some arbitrary but fixed number of records, preferably defined in settings or config), maybe just display something like 'private' by default?