Permissions bug on 1.0.6b

Discussion in '[bd] Keyword Alert' started by dvsDave, Sep 29, 2015.

  1. dvsDave

    dvsDave Webmaster

    So, I went to great lengths to confirm this bug.

    I have a test user that I setup with permission to the Keyword alert system and set a test keyword "qwertytest"


    I then made sure a forum that the test user did NOT have access to was set to be a Private Node


    I confirmed that the user does NOT have permission to view this forum (confirmed with XF's Analyse Permissions tool)


    Then I posted in the forum with my admin account a message that included a keyword that the test user had setup. I got an email immediately, despite the user not being able to click the link, it still shows a snippet of the conversation in the email.

    I'm running Xenforo 1.5.0 at the moment and running Keyword Alert 1.0.6b.
  2. dvsDave

    dvsDave Webmaster

    So, I went ahead and paid another developer $50 to find the bug and fix it. I tested this patch and personally reviewed the code to make sure everything is kosher. Here is a diff patch file to apply to your server to fix the permissions bug. Here's a good primer on DIFF files in linux.

    7 Patch Command Examples to Apply Diff Patch Files in Linux

    When there is a security fix available for a particular software, we typically do a binary upgrade using the package management tools like yum or apt-get.

    I can't post the full zip file since this is a paid addon, but this diff file only works if you are running the current 1.0.6b file from xfrocks site.

    @xfrocks I can send you a full zip file for you to review and then post for everyone who has bought this addon already. I commissioned this add-on and I will make sure that it stays current and secure. If you don't want to deal with it anymore, let me know and I'll take the entire project off your hands.

    Attached Files: