search

wpsharks / s2member

s2Member® Framework (membership management for WordPress®).
64 stars 36 forks source link

bbPress Search Results expose restricted content #603

Open raamdev opened 9 years ago

raamdev commented 9 years ago

Steps to reproduce this bug

  1. Install and activate bbPress and s2Member
  2. Create a new forum called "Private Forum" and restrict access to Level 2
  3. Add a new Topic to that "Private Forum" and include the word 'coupon' in the Topic body
  4. Create a Level 1 user and login to the site as that user
  5. Search the bbPress Forums for the keyword 'coupon' (/forums/search/coupon/ by default)

    Expected Behavior

Since the topic that includes the 'coupon' keyword is inside a forum that is restricted to Level 2 users, I would expect the search results to exclude any results in that forum, because a Level 1 user should not be able to see Level 2 topic content.

Observed Behavior

The Level 1 user sees the topic that includes the 'coupon' keyword, despite that topic being inside the "Private Forum", which is restricted to Level 2.

Also note that enabling Search Filtering inside s2Member → Restriction Options → Alternative View Protection seems to have no effect on bbPress Searches.

Support threads referencing this issue

raamdev commented 9 years ago

Temporary Workaround

At this time, the recommended workaround is to prevent lower levels of access from searching the forums at all. To do this, you would simply add /forums/search/ to the s2Member → Restriction Options → URI Restrictions (typical w/ BuddyPress) inside the "URIs that Require Level 2 Or Higher" (or whatever level is applicable for your scenario).