I have a private forum with access set to only the Administrator and Moderator. But when I make a post regular users are getting notifications. I discovered this because my SMTP plugin keeps a log of all emails going out. When I go to the Forum Members section and I look under any members' subscription check marks, anyone has the ability to see the hidden forums and subscribe to them. They don't have access to see the posts because they can't access the forum, but sometimes the notifications have the content of the post in the body of the email.
Why are regular users who do not have access to the forum able to subscribe to it and even see that it exists? I have attached screenshots showing that you can subscribe to any and all forums, private or not through your profile.
I have an Administration forum with a Private Test Forum that only I have access to, but people are getting notifications from it because they are able to select it from their profile.
WPForo: 2.4.17
Wordpress: 6.9.4
Hi @moptop,
Soemthing is wrong with your tests, there is no such bug in wpForo.
When you view subscription page of a user with your account you see all forums, id doesn't mean the user sees the same list of forums. User will only see the forums which are allowed to see.
It seems after creating or setting a forum provate the cache have not been properly deleted or you have tested with wrong user.
Here are the checklist:
- I recommend delete the test user, create a new one and test with the new user. make sure you're login with that user when you chekc the forum list.
- Also, make sure the No Access is correctly configured for the forum where you create topics. I mean it should be the parent forum or the category, the access configuration must be for each forum and sub-forum.
- Edit the "No Access" forum access and make sure its permissions are unchecked.
- Delete all kind of caches and wpForo cache in wpForo > Overview admin page.
- Re-synchronize user roles with usergroups in wpForo > Usergroups admin page
- Use real email addresses and inboxes to see the email notification, do not rely on a plugin logs.
We did deep review of wpForo today, here is the result:
| PR | Description | Private Forum Impact |
|---|---|---|
| #1052 | Fix read tracking variable | None |
| #1053 | Async indexing breakdown | None |
| #1054 | Fix duplicate moderation emails | None (adds checks, not removes) |
| #1055 | Fix view count duplicates | None |
| #1056 | Async email queue | None (doesn't change access logic) |
| #1057 | Add context parameters | None (doesn't change access logic) |
No bug found that would send email notifications to inappropriate users from private forums.
Current Status: SECURE ✅
All three email notification modules have proper view_access checks:
| Module | Check Location |
|---|---|
| Subscriptions | WPF()->topic->view_access($topic, $user) |
| Subscriptions | WPF()->post->view_access($post, $user) |
| Follows | WPF()->topic->view_access($topic, $user) |
| Follows | WPF()->post->view_access($post, $user) |
| Mentioning | Both topic and post view_access |
These checks verify:
- Forum view permission
- Topic view permission
- Private topic view permission
The view_access checks have been in place since May 2022
Only exception: Admin emails configured in wpForo > Settings > Email receive all notifications (by design - they're site admins).
Thank you for looking into that and the clarification when logged in as an admin and looking at a users subscriptions.
I cleared all the caches and re-synced the user data and groups and that seems to have solved the issue with the forum emailing unauthorized users.
I will keep an eye on it and do some regular testing on private forums to ensure it doesn't happen again.