I installed MOphpBB3 Aruba 6.0 on phpBB 3.07 PL1. Works optically fine, but...
Users who have restricted rights have full access to unauthorised subforums when they use MOphpBB3!
What's going on there?
I did some test on my board for security reasons but I did not found any issue with permissions (phpbb 3.0.8 and MO Aruba 6.0).
Would you be so kind to describe how to replicate the issue?
There is a permission/authorization issue in my module.
The root cause is my mobile module does not use all phpBB3 content, I just display some of it. (My module is not a theme solution.) So my code does not go through phpBB3 code thread completely, it only run some of it. The risk is when I make a permission/authorization mistake, there will be a permission/authorization issue, just like this one.
In detail, for this issue, the error is I use "Can see forum" permission as "Can read forum" one (actually, they have different meaning) -- if one registered user has "Can see forum" permission of one restricted forum, but does not have "Can read forum" permission, he/she should be able to read the forum title, but can not read topic title/content within this forum; while through my module, the topic title/content is displayed there. (If you use default phpBB3 user group, which enables/disables "Can see" and "Can read" at the same time, you do not have this issue.)
This is the top one issue I am working right now. I will provide a bug fix version and notify all user to update their code. I will also provide a description of this issue in my web site high light section.
Any question, please let me know.