[H-9] Crosspost skips target forum access control

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/ForumController.php:2073-2138

Bug: Crosspost checks source-forum moderation but not Forum::canPost on target.

Fix: Call Forum::canPost($targetForumId, $userId, $role) before creating the crosspost thread.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:35pm

Resolved.

Added Forum::canPost($targetForumId, $user['id'], $user['role']) gate to ForumController::crosspost (src/Controllers/ForumController.php:~2138).

A thread author or source-forum mod who tries to crosspost into a private/hidden forum they don't have posting rights in now gets a flash error and redirect instead of creating the thread.

Locking this thread.

Related Discussions

[forum.post_purged] Purged post #151 in thread #163
Admin System Log Files · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #163: New Features: SID Music Player & Expanded Disk Image Support
Admin System Log Files · 0 replies · 3 views
[M-25] ForumMember::accept doesn't check current role
Security Issues · 0 replies · 1 views
[M-18] findRelatedThreads returns hidden-forum threads
Security Issues · 0 replies · 1 views
[M-4] SystemPostService::postCriticalLogs can loop on persistent forum-post failures
Security Issues · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy