So, I went to great lengths to confirm this bug. I have a test user that I setup with permission to the Keyword alert system and set a test keyword "qwertytest" I then made sure a forum that the test user did NOT have access to was set to be a Private Node I confirmed that the user does NOT have permission to view this forum (confirmed with XF's Analyse Permissions tool) Then I posted in the forum with my admin account a message that included a keyword that the test user had setup. I got an email immediately, despite the user not being able to click the link, it still shows a snippet of the conversation in the email. I'm running Xenforo 1.5.0 at the moment and running Keyword Alert 1.0.6b.
So, I went ahead and paid another developer $50 to find the bug and fix it. I tested this patch and personally reviewed the code to make sure everything is kosher. Here is a diff patch file to apply to your server to fix the permissions bug. Here's a good primer on DIFF files in linux. http://www.thegeekstuff.com/2014/12/patch-command-examples/ 7 Patch Command Examples to Apply Diff Patch Files in Linux When there is a security fix available for a particular software, we typically do a binary upgrade using the package management tools like yum or apt-get. But, there might be situation where you have installed a software by compiling it from the... thegeekstuff.com I can't post the full zip file since this is a paid addon, but this diff file only works if you are running the current 1.0.6b file from xfrocks site. @xfrocks I can send you a full zip file for you to review and then post for everyone who has bought this addon already. I commissioned this add-on and I will make sure that it stays current and secure. If you don't want to deal with it anymore, let me know and I'll take the entire project off your hands.