I have a forum setup like the following:
- Public Category
- Public Forum
- Private Category
- Private Forum
If a user only has access to the Public Category, and then goes to their Profile > Subscription Manager page they see the following:
- Public Category
- Public Forum
If this user then selects the "Subscribe to all new topics and posts", it will subscribe them to all forums. So if I then post on an account that has Private Forum access, the user that doesn't have access to that forum gets an email notification that a new post was made. The links don't work because it bring them to a page that says they don't have access, but the content of the post is in the email already.
This is a fairly big security issue as people can subscribe to sections and get info for categories and forums that they are set as "No Access" on. Did I setup something incorrectly, or is this just a bug?
Thanks.
Hi @kuipo,
Ther is no such issue on our test websites.
Just navigate to the Dashboard > Forums > Forums admin page and make sure you will set the "No Access" not only for the Private Category created by you, but for the Private Forum too, for the current usergroup, and check again.
@alvina I did check that and both are set to no access. This is why the user can't see the private forum on their notification page list. Is there capability that the user role may have that would cause it? I checked my Forum Accesses for "No access" and everything is unchecked. I am using custom roles in the chance that there is something causing it there. I'm not sure where to even start looking.
Hi @kuipo,
Probably you test it from your account. If yes then it's normal when you get the notification. Becouse of you email address exist in the "Forum Admins email addresses" list. More info here: https://wpforo.com/docs/root/wpforo-settings/emails-settings/#admin-emails
If not, then please navigate to the Dashboard > Forums > Settings > Emails admin page and make sure the current email does not exist in the "Forum Admins email addresses" list.
