[L-7] toggleSubscription creates orphan rows for non-existent forums/threads

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: LOW

Location: src/Controllers/ForumController.php:1438

Bug: No existence check before toggle.

Fix: Validate target existence first.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:35pm

Resolved.

ForumController::toggleSubscription now resolves the thread/forum id, looks up the parent forum, and rejects with a 404 unless Forum::canView passes and Forum::isPreviewOnly returns false.

A brute-force subscribe against private-forum thread IDs no longer silently succeeds, so the notification fan-out can't leak reply excerpts from hidden forums.

Also resolves L-7 (orphan subscription rows for nonexistent targets) — we now findById before calling toggle, so invalid ids return 404 and no row is written.

Locking this thread.

Related Discussions

[H-10] toggleSubscription doesn't verify target visibility
Security Issues · 0 replies · 0 views
[C-1] AdminUserController::update can't change roles — User::update throws
Security Issues · 0 replies · 1 views
Feature: File Exchange (Browsing & Downloading)
Feature Spotlights · 0 replies · 1 views
Author-owned orphan works
Lost Software Hunts · 0 replies · 0 views
[forum.thread_purged] Purged empty thread #171: New Feature: In-Browser Commodore 64 Emulator
Admin System Log Files · 0 replies · 4 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy