Exposed Data for Threads
Issue #360
open
When an e-mail is part of a thread it is show with a [+] beside the Message Object "even" if for some of these messages I have no read rights . The problem is that even if I am presented with the message "no permission for xxx" , and so can't actually read the message body and\or header I am "aware" of his existence and also sender\recipient . Although I can agre that this isn't in reality really harmfull , it still expose some information I shouldn't be aware of ( especially in Italy where privacy law are somewhat hardening atm ). Best Regards
Comments (12)
-
repo owner
-
repo owner
-
assigned issue to
Janos SUTO
-
assigned issue to
-
repo owner
Can you replace the query_all_possible_IDs_by_reference() function in model/search/search.php with this one?
private function query_all_possible_IDs_by_reference($reference = '', $cache_key = '') { $ids = array(); if($reference == '') { return $ids; } $session = Registry::get('session'); $query = $this->db->query("SELECT id FROM " . TABLE_META . " WHERE message_id=? OR reference=? ORDER BY id DESC", array($reference, $reference)); foreach($query->rows as $q) { if($this->check_your_permission_by_id($q['id'])) { array_push($ids, $q['id']); } } if(ENABLE_FOLDER_RESTRICTIONS == 1) { $query = $this->sphx->query("SELECT id, folder FROM " . SPHINX_MAIN_INDEX . " WHERE id IN (" . implode(",", $ids) . ")"); $ids = array(); foreach($query->rows as $q) { if(isset($q['folder']) && in_array($q['folder'], $session->get("folders"))) { array_push($ids, $q['id']); } } } $total_found = count($ids); if(MEMCACHED_ENABLED && $cache_key) { $memcache = Registry::get('memcache'); $memcache->add($cache_key, array('ts' => time(), 'total_hits' => count($ids), 'total_found' => $total_found, 'ids' => $ids), 0, MEMCACHED_TTL); } return array($total_found, $ids); } -
reporter
Hi and thank you for the answer , I ll replace the query tomorrow morning , and to answer your previous question , in this specific case , I was member for a thread , then one of the member decided to forward the message to a new person ( I m not included hence the impossibility to read it ) , and from there the thread extend I see is there but obviously can't read it ( though the exposed info is the fact that I know the information I sent has been forwarded to someone else ).
-
reporter
Hello,
I tried your new updated function , and now I do not see the messages I m not entitled to , BUT now the thread doesn't work anymore anytime I do click on a [+] strangely I do see always the same message
Thank you
-
repo owner
- changed status to resolved
OK, then the issue is resolved
-
reporter
Hello, I think there as been a misunderstanding , as I said now the [+] Thread function doesn't work at all , everytime I do try to expand the thread I see Always the same message ( which is not related to any thread )
-
reporter
- changed status to open
as my previous post
-
repo owner
Ah, sorry. I'll give it another try.
-
repo owner
Can you show me a before the patch and after the patch screenshot? I'd like to see what you can see.
-
reporter
Hello sorry for the delay but I had some Holiday time heh , anyway here are the screens :
Stable :
Entitled to all msgs on thread
NOT Entitled to all msgs on thread
Patch :
Entitled to all msgs on thread
NOT Entitled to all msgs on thread
the threads "entitled" and "NOT Entitled" are the same for stable and patched, take in mind anyway that for ALL the "entitled" type of thread I get "Always" the same message you see in the screenshoot of the patched version.
Thanks for your time
-
repo owner
Sorry for the late reply, I'll continue working on the issue. Please give me some more time, I'm a bit overwhelmed at the moment.
- Log in to comment
So you have an email thread where you joined it at a certain point only, and you should not be aware of the previous stuff, right?