Hello

I'm using both facebook-style statuses (6.x 1.0-rc1) and advanced forum. I have "My Status" and "Recent Members' Statuses" enabled as blocks.

When a member opens a forum topic posted by another member he gains permission to edit that member's status using the My Status block.

I've had this issue for the previous version of facebook style statuses and it wasn't resolved when I updated to the most recent recommended version.

I think there is some incompatibility between the two modules. Hopefully it can be fixed soon. I'm running a very small scale social website where all member's know each other and such security concerns aren't a problem but I'd imagine that in large scale websites this would be a serious security issue.

cheers
Amr

Comments

icecreamyou’s picture

icecreamyou commented
Title: security issue: facebook-style statuses and advanced forum » Node editors can edit author's status after edits?
Component: User interface » Code - Functionality
Assigned: Unassigned » icecreamyou
Status: Active » Postponed (maintainer needs more info)

Okay, a couple of things.

  • PHP version? SQL type and version?
  • There are no "My Status" or "Recent Members' Statuses" blocks. What are you referring to (what are they called on admin/build/blocks)?
  • What do you mean by "when a member opens a forum topic posted by another member"? Do you mean edits or comments on?
  • Do you have this problem with Advanced Forum disabled?
  • What FBS-related permissions do the users in question have? What content editing/posting-related permissions?
  • I'm assuming the permission escalation is restricted only to pages with nodes the relevant user has edited?
  • Do you get any errors in your log?
icecreamyou’s picture

icecreamyou commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

Closed due to no response, and also I can't duplicate this behavior, which means it's probably due to a confusion over functionality.

safahat_chamiyeh’s picture

safahat_chamiyeh commented

I was working all week and didn't have the chance to reply.

What do you mean by "when a member opens a forum topic posted by another member"? Do you mean edits or comments on?
I have the Facebook Status block on the left hand column. Say for example John - an authenticated user with no administrative privileges - logs on to the site and views a forum topic posted by another user Harry. The Facebook Status block now thinks Harry is the current user, it displays Harry's status, and allows John to edit Harry's status. John doesn't have to edit or comment on Harry's forum topic he just has to view a forum topic posted by Harry to gain editing access to his facebook status. I hope this makes it clear.

I have upgraded to the latest edition of Facebook Status and re-installed advanced forum and this seems to have partially resolved the issue. Using the above example John can no longer edit Harry's status. However the facebook Status Block still thinks that Harry is the current user and lists Harry's, rather than John's, status. The block won't display John's status , or allow him to edit it, until he views a forum topic posted by himself or views a content outside the forum.

The answers to your other questions:
I'm using PHP:4.4.9, SQL 5.0.67

There are no "My Status" or "Recent Members' Statuses" blocks. What are you referring to (what are they called on admin/build/blocks)?
Facebook Status, Facebook Status Recent Updates

Do you have this problem with Advanced Forum disabled?
yes

What FBS-related permissions do the users in question have? What content editing/posting-related permissions?
they can edit their own FBS. They can create, edit their own conent (pages, stories, forum topics)

I'm assuming the permission escalation is restricted only to pages with nodes the relevant user has edited?
not necessarily

Do you get any errors in your log?
no

safahat_chamiyeh’s picture

safahat_chamiyeh commented
Priority: Critical » Normal
Status: Closed (fixed) » Active
icecreamyou’s picture

icecreamyou commented
Status: Active » Closed (works as designed)

It is the intended behavior of the module, as explicitly explained in the documentation, that the Facebook Status block follows these rules:

  1. On user profiles, it displays the relevant user's status;
  2. On nodes, it displays the node author's status;
  3. Anywhere else, it displays the current user's status.

My belief is that you accidentally accorded John the Administer Statuses permission at first, and that your reinstall removed that permission (which is why you no longer have a problem with John being able to edit Harry's status). However, you are seeing the correct status.

If you want the block to always show the current user's status, create a new block with the PHP input format and put this in it:

global $user;
echo facebook_status_display_b(NULL, $user->uid);
safahat_chamiyeh’s picture

safahat_chamiyeh commented

I see
thanks very much for clearing that up

cheers