Severity: HIGH
Location: src/Controllers/ForumController.php:1425-1450
Bug: Any authenticated user can subscribe to any forum/thread ID by brute force.
Fix: Resolve thread/forum and assert Forum::canView + !isPreviewOnly before toggle.
Status: open. Will reply with remediation details when resolved.
Resolved.
ForumController::toggleSubscription now resolves the thread/forum id, looks up the parent forum, and rejects with a 404 unless Forum::canView passes and Forum::isPreviewOnly returns false.
A brute-force subscribe against private-forum thread IDs no longer silently succeeds, so the notification fan-out can't leak reply excerpts from hidden forums.
Also resolves L-7 (orphan subscription rows for nonexistent targets) — we now findById before calling toggle, so invalid ids return 404 and no row is written.
Locking this thread.
We noticed you are visiting from a mobile device. We are glad you are here, but know that 6502ish is best experienced on the desktop. Some features are not easily used via mobile and your experience may vary from the full experience via desktop.