[RSS Feed/News] Search c.type/c.content allows skipping a search handler's getTypePermissionConstraints

Status
Not open for further replies.

XenForo

Administrative
  • Thread starter
  • Admin
  • #1
When a search has a valid search handler, and c.type or c.content are used , XenForo does not validate that they are covered by getSearchableContentTypes.

This allows constructing a query which likely side-steps getTypePermissionConstraints for those types.

For example: example search.

This will lack the normal node visibility checks that a post/thread search would have.

The problem is in prepareSearchQuery which handles...

Read more

ادامه مطلب...
 
Status
Not open for further replies.
Back
Top Bottom