Admin/Mod Replies Disclosed in Search on post approval topics

[VBGAMER45]

Description

If you have a board/membergroup with post approval. Replies made by admins/mods will be searchable in the SMF search system.

Steps to reproduce

1. Turn on poster moderation for a membergroup
2. Post as that membergroup in causing a topic to require approval.
3. Post as an admin to reply to that topic. Enter text for example such as "hidden"
4. Then logout and search as guest on your forum and search for "hidden" and it will appear in search results.
   
   
   

Environment (complete as necessary)

• Version/Git revision: SMF 2.1 RC1 affects SMF 2.0.x as well.
• Database Type:
• Database Version:
• PHP Version:

Additional information/references

[VBGAMER45]

Note also shown in action=recent page as well...
And SSI Recent Posts, probably would affect recent poll as well if not approved. Thinking same issue might be with recent attachments if attachment has approval..

[albertlast]

Which search index you use?
none
custom
full text

[VBGAMER45]

none.

Also note it records the post by admin as counted in the board index in the topic. But as you can see there are no approved topics.

[albertlast]

i'm not 100% sure if the count thing should be fixed,
without looking at the code i guess this would affected the performance without many gain.

[VBGAMER45]

Yeah I agree on that. There is going to be some performance hit. I guess making sure the topic that the message is part is approved. To fix the recent posts page and search issue.

[albertlast]

While trying to fix it,
i notice that ssi recent got already a check:
https://github.com/SimpleMachines/SMF2.1/blob/942d5c771b5a24f404cbbf9447f0f6905e6c984b/SSI.php#L401-L402

noticable is here that a mutch more easier logic is used as me try to use.
$only_approved = $modSettings['postmod_active'] && !allowedTo('approve_posts') && !allowedTo('manage_boards');
Question in the round would be,
which way we go?
Show on recent only approved message regardless your rights?
Show on search only approved message regardless your rights?

@Arantor @Sesquipedalian your opinion would be welcome

[Oldiesmann]

We should show whatever applies based on your rights - if you have the ability to approve things you should be able to see them in the recent posts list/search results.

[albertlast]

okay ssi recent check only for approved message and not approved topic,
but the question still keep in the room,
how the bahavior should be.

[Arantor]

The issue is that replies to a topic that is moderated are not themselves moderated. The tests all need to also check topic approval, as well as message approval.

[albertlast]

i ask for the wanted behavior not how to implement it.

[Arantor]

Fine, I'll rephrase it for you since clearly the intent of what I was suggesting wasn't clear enough.

Make it check for moderated topic status as well as moderated post status. The tests all need to exclude unapproved topics if they similarly exclude unapproved posts and you can't see those unapproved topics/posts.

[Sesquipedalian]

@Arantor is correct. This needs to check whether the topic is approved as well as whether the post itself is approved.

Also, the manage_boards permission should not be part of the logic here. That permission does not give the ability to approve or disapprove of posts or topics, so it should not play any role in deciding whether to show unapproved posts and topics.

[albertlast]

Like i write in the issue,
the manage_boards got the right to see them (dunno why).

so it make less sense not to be able to search them.

[Sesquipedalian]

the manage_boards got the right to see them (dunno why).

They shouldn't. Where do you see that happening?

[Sesquipedalian]

To be clear, members with the manage_boards permission can see all boards. That doesn't mean they can see all topics or posts.

[albertlast]

oh i guess my test case got wrong,
because i created the unapproved topic with my manage_boards user.

Then the otherways around,
should be a user be able to search for his own unapproved topic?

[Sesquipedalian]

should be a user be able to search for his own unapproved topic?

Yes.

[Sesquipedalian]

But if the topic is unapproved and does not belong to the user, then searching for posts inside the topic should not show anything (unless the user also has the approve_posts permission, of course).