Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Mentioned by" on posts sometimes leaks hidden posts #3846

Closed
matteocontrini opened this issue Jun 24, 2023 · 5 comments
Closed

"Mentioned by" on posts sometimes leaks hidden posts #3846

matteocontrini opened this issue Jun 24, 2023 · 5 comments
Labels
needs-verification type/bug

Comments

@matteocontrini
Copy link
Contributor

matteocontrini commented Jun 24, 2023
edited
Loading

Current Behavior

When a post (A) is mentioned by another post (B), and post B is hidden, the "mentioned by" section at the bottom of post A shows the preview of post B, even if the post is hidden and the user/actor is not authorized to see hidden posts.

Note that this doesn't happen if flarum/issue-archive#76 gets in the way: in that case, the mention is deleted from the db and thus post A doesn't show post B as a reply to it.

If you're wondering why this issue actually exists, since flarum/issue-archive#76 should make it impossible: I have no idea, I just know for sure that it happens even on the latest stable version, after seeing multiple occurences of that on a forum I manage (see example below).

Steps to Reproduce

Theoretically, these would be the steps that reproduce the issue:

  1. Create post A
  2. Create post B as a reply to post A
  3. Delete post B
  4. Logout or login as a non-privileged user and notice that on post A it says that post B is a reply, and you can see a preview of it
image

The post by Joanlui in the screenshot above is actually hidden. (Ignore the gap between the two posts, that's a placeholder for ads.)

What I see as an admin:

image

Link to that post, if it helps: https://forum.fibra.click/d/25781-bolletta-luce-e-gas-cosa-scelgo/8274

Expected Behavior

Hidden posts should never be shown to standard users.

Screenshots

No response

Environment

  • Flarum version: 1.8.1

Output of php flarum info

I can provide it if relevant.

Possible Solution

No response

Additional Context

No response
@SychO9
Copy link
Member

SychO9 commented Jun 26, 2023

@matteocontrini could you provide php flarum info and your database version please?

@luceos
Copy link
Member

luceos commented Jun 26, 2023

I just tried replicating this:

https://discuss.flarum.org/d/33052-mentioned-by

image

incognito:

image

I can't replicate it, so might be an extension. Can you either: a) disable extensions one by one to see if this re-occurs or b) provide a composer.json so we can attempt to reproduce locally?

@imorland
Copy link
Member

imorland commented Jun 27, 2023
edited
Loading

@matteocontrini if you upgrade to the latest fof/merge-discussions this problem should be resolved. Are you able to verify please? This update was released as a recommended update last week

@matteocontrini
Copy link
Contributor Author

@imorland that was it, fixed, thank you everyone!

@imorland
Copy link
Member

Excellent news @matteocontrini - thanks for confirming :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-verification type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@luceos @matteocontrini @imorland @SychO9