Notification-Issue in NotificationService

[heikojentzsch]

there is from my personal perpective a security issue in the Class NotificationService inside the Method "notifyForumSubscribers(...)"

the method iterates over the forum structure setting parent forum as current forum. doing this the readAccess is always checked against the current forum which is in this moment the parent forum. in line 139 i think there has to be a check against the current forum AND always against the forum in which the new topic is written.

We fixed it in our instance by editing the method to the following version where we added a variable "$originalforum" which is additionally checked:

	protected function notifyForumSubscribers(Forum $forum, Topic $topic, Post $post) {

		$subject = Localization::translate('Mail_Subscribe_NewTopic_Subject');
		$messageTemplate = Localization::translate('Mail_Subscribe_NewTopic_Body');
		$postAuthorUid = $post->getAuthor()->getUid();

		$notifiedSubscribers = [];

		$originalforum = $forum;

		while ($forum) {
			$message = $this->getMessage($forum, $topic, $post, $messageTemplate, $this->getForumUnsubscribeLink($forum));

			foreach ($forum->getSubscribers() as $subscriber) {
				if (!$notifiedSubscribers[$subscriber->getUid()] && $forum->checkReadAccess($subscriber) && $originalforum->checkReadAccess($subscriber) && $subscriber->getUid() !== $postAuthorUid) {
					$subscriberMessage = nl2br(str_replace('###RECIPIENT###', $subscriber->getUsername(), $message));
					$this->htmlMailingService->sendMail($subscriber, $subject, $subscriberMessage);
					$notifiedSubscribers[$subscriber->getUid()] = TRUE;
				}
			}

			$forum = $forum->getParent();
		}
	}