Hi!
It looks like you have an issue with authorization using "comments/quote" rest method.
As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.
For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."
Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.
Comments
Hi!
It looks like you have an issue with authorization using "comments/quote" rest method.
As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.
For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."
Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.
Thanks for the report, zmacr.
Both issues have been fixed.
... looks like now I can only "Quote" my own messages, and not the messages of other users (forum Quote button is useless for now).
Instead I think user should be able to Quote any message (written by any user) which belongs to threads he authorized to view.
Second issue looks fixed with no further problems.