I have a forum about a game (Xonotic) and we have trouble with a huge troll on there. He claims to be able to see a section of my forum that should only be visible for certain groups which he's not part of. I was wondering if such a thing is possible because he did give some accurate information about topics that were located in that section. And if it's possible what can i do about it?

vega

Hello,

Sounds like there is a permissions problem somewhere that is making it possible for the user to read topics in there.

I would double check the permissions for that section and make sure 'Can read the topics' and 'Can view the forum' are both unticked for all groups that you dont want to be able to view it.

I have seen it happen where, in the rare event, if you have 'Can view the forum' unticked for users or groups, but the admin who set up the permissions either forget to untick or didnt see the need to untick 'Can read topics'. Now when this happens, while the section itself may be hidden, a user could still read the topics in the section if they have the precise topic url or if they clicked a link to it.

That said, I would make sure both 'Can view the forum' and 'Can read the topics' are unticked for the groups you dont want to access the section or any of the topic in it .

Also it could be that this member is just saying he/she can see the section.  Ask for proof, like screenshots.

Could it be that he/she has another account that is part of the group, or could it be that he/she used an account of a member of that group?

Thing is he doesn't even have an account on my forum, he's a guest. The permissions are all set the way they have to be, i double checked just now. I'll be sure to ask him for proof though, he might just have receive the information from a person who can see the topics.

vega

sounds to me this member is not a guest but dose really have an account there just not telling you they have one

APE wrote:sounds to me this member is not a guest but dose really have an account there just not telling you they have one

Even if that's the case he's for sure not a part of the groups that can see this section. I know every single one of those guy personally and he's not one of them. The scary thing is that he's really good with coding so i thought he might be able to hack people, before i assume that though i'll ask him for proof.

vega

Is he friends with the other members of this group?  It could be that someone allowed him to used their account.

Hi,

So, like others said above, it's highly likely that someone told him, leaked or granted him access to these sections. If he isn't an administrator and doesn't have permission to see the topics, he won't, since PHP technology is based server side. That way, even if he tried to modify things client side it would be unlikely for him to discover a glitch that would allow such access. If you do trust people that have access to these sections and they say they are not leaking information, I'd say it's much more probable that they have weak passwords and, there for, allowed someone to access their own personal accounts. There are other concerns, such as the usage of the same password throughout the internet, the same password for both e-mail and forum's account and so on. By any chance, have you received a PM from him or other suspicious account with an external link? It isn't necessarily a virus that would grant him access.

Besides, what's the extension of these leaks? He knows precisely the content of a post, he knows when someone posted in the private section, what time, what's the topic URL...? There are easy ways of finding these without having trouble (except for the content of the posts and the topic).

However, again, most likely it has been leaked by someone with access or had their account compromised -- thus granting access.

Ace wrote:
However, again, most likely it has been leaked by someone with access or had their account compromised -- thus granting access.

Turns out it was leaked information by one of my other members. He couldn't provide any proof he could see all the posts, he only had information about a few. The information given away wasn't much of a problem, it would have been a problem if he got other information as we do talk about our gameserver configuration and such a lot in that private section. I will mark the topic as solved, guess i shouldn't panic that fast next time

Thanks guys!