MU & Subscribe 2: anyone can access locked site from "Your Subscriptions"

  • Resolved careb

    (@careb)


    10 years, 2 months ago

    i have a multisite install with one hidden blog that only a handful of users can access.

    but, i also have Subscribe 2 running on this hidden blog. once i enable Subscribe 2 for any other blog, hidden or not, any user with access to the “Your Subscriptions” menu can see all the other blogs which have Subscribe 2 enabled, including the hidden one.

    i would prefer that this hidden blog not show up at all, but i couldn’t figure out how to do that.

    i added more code to the hidden blog to redirect users who shouldn’t have access based on ‘list_users’ and removed dashboard access with AAM. this doesn’t work.

    any user can still see the hidden blog and Subscribe to it just by clicking the link. while this action sends the user to an ‘Access Denied’ page, Subscribe 2 registers the subscription and adds the user to the hidden blog with whatever role they had on the non-hidden blog.

    since the hidden blog has Subscribe 2, the restricted user gets the post emailed to them from the hidden blog they shouldn’t have access to at all.

    what i need is a little snippet of code that will let me exclude the hidden blog from this listing …

    any help or insights greatly appreciated.

    https://wordpress.org/plugins/subscribe2/

Viewing 6 replies - 1 through 6 (of 6 total)
  • mattyrob

    (@mattyrob)

    10 years, 2 months ago

    @careb,

    How are you hiding this blog? Is it a core part of Multisite?

    In the class-s2-multisite.pgp library the blogs are collected with this query:
    $blogs = $wpdb->get_results( $wpdb->prepare("SELECT blog_id, domain, path FROM $wpdb->blogs WHERE site_id = %d AND archived = '0' AND mature = '0' AND spam = '0' AND deleted = '0' ORDER BY registered DESC", $wpdb->siteid), ARRAY_A );

    I suspect we simply need to add another check in there but as I don’t use Multisite myself I’m not sure what that would be at the moment.

    Thread Starter careb

    (@careb)

    10 years, 2 months ago

    hi!

    the blog is hidden by not linking, only allowing select users, and auth_redirect so unauthorized users don’t know where it is and can’t access it if they should find it. there are no core things hiding it.

    if i check the hidden blog off as ‘mature’ … that should stop it from showing on the Your Subscriptions page, right?

    Thread Starter careb

    (@careb)

    10 years, 2 months ago

    okay, setting the hidden blog to ‘mature’ does take the blog out of the listing on the Your Subscriptions menu

    but … the security hole is still there.

    mattyrob

    (@mattyrob)

    10 years, 2 months ago

    @careb,

    I disagree that this is a security hole and I am also struggling to imagine how Subscribe2 could be expected to detect the changes you have made to hide this blog and then respond as you expect. The code pasted above is used to collect blog data directly from the database so your changes would not have been apparent.

    The only solution I can envisage is to apply a filter to the returned blog list in the get_mu_blog_list() function to allow removal of specific blogs in cases such as this.

    Thread Starter careb

    (@careb)

    9 years, 12 months ago

    i’ve had to change my hidden blog’s setting so the “mature” workaround was no longer viable.

    sure enough, any user could see the Subscribe link and the View Settings link on the Your Subscriptions page

    that won’t do.

    all my users are registered on a very small site and only 6 of them should be able to even see the hidden blog in the listing of blogs at the bottom of this page.

    i poked around into your-subscriptions.php, specifically line 239:

    if ( is_user_member_of_blog($current_user->id, $blog['blog_id']) ) {
echo "<a href=\"". $blog['subscribe_page'] . "\">" . __('View Settings', 'subscribe2') . "</a>\r\n";
}
echo "<a href=\"" . esc_url( add_query_arg('s2mu_unsubscribe', $blog['blog_id']) ) . "\">" . __('Unsubscribe', 'subscribe2') . "</a></span>\r\n";
}

    what my users see are all the blogs that have the Subscribe2 plugin enable, including the one that they are not a member of and normally can’t access directly because of a bit of code that checks their capabilities, then uses wp_redirect().

    i moved your use of is_user_member_of_blog() to after foreach and finally, things work as expected: if a user is not a member of a blog, that blog does not show in the list of blogs they can subscribe to.

    hope this code helps someone else 🙂

    echo "<div class=\"s2_admin\" id=\"s2_mu_sites\">\r\n";
	if ( !empty($blogs_subscribed) ) {
		ksort($blogs_subscribed);
		echo "<h2>" . __('Subscribed Blogs', 'subscribe2') . "</h2>\r\n";
		echo "<ul class=\"s2_blogs\">\r\n";
		foreach ( $blogs_subscribed as $blog ) {
			if ( is_user_member_of_blog($current_user->id, $blog['blog_id']) ) {
				echo "<li><span class=\"name\"><a href=\"" . $blog['blogurl'] . "\" title=\"" . $blog['description'] . "\">" . $blog['blogname'] . "</a></span>\r\n";
				if ( $s2blog_id == $blog['blog_id'] ) {
				echo "<span class=\"buttons\">" . __('Viewing Settings Now', 'subscribe2') . "</span>\r\n";
			} else {
				echo "<span class=\"buttons\">";
				echo "<a href=\"". $blog['subscribe_page'] . "\">" . __('View Settings', 'subscribe2') . "</a>\r\n";
				echo "<a href=\"" . esc_url( add_query_arg('s2mu_unsubscribe', $blog['blog_id']) ) . "\">" . __('Unsubscribe', 'subscribe2') . "</a></span>\r\n";
				}
			}
			echo "<div class=\"additional_info\">" . $blog['description'] . "</div>\r\n";
			echo "</li>";
		}
		echo "</ul>\r\n";
	}

	if ( !empty($blogs_notsubscribed) ) {
		ksort($blogs_notsubscribed);
		echo "<h2>" . __('Subscribe to new blogs', 'subscribe2') . "</h2>\r\n";
		echo "<ul class=\"s2_blogs\">";
		foreach ( $blogs_notsubscribed as $blog ) {
			if ( is_user_member_of_blog($current_user->id, $blog['blog_id']) ) {
			echo "<li><span class=\"name\"><a href=\"" . $blog['blogurl'] . "\" title=\"" . $blog['description'] . "\">" . $blog['blogname'] . "</a></span>\r\n";
			if ( $s2blog_id == $blog['blog_id'] ) {
				echo "<span class=\"buttons\">" . __('Viewing Settings Now', 'subscribe2') . "</span>\r\n";
			} else {
				echo "<span class=\"buttons\">";
				echo "<a href=\"". $blog['subscribe_page'] . "\">" . __('View Settings', 'subscribe2') . "</a>\r\n";
				echo "<a href=\"" . esc_url( add_query_arg('s2mu_subscribe', $blog['blog_id']) ) . "\">" . __('Subscribe', 'subscribe2') . "</a></span>\r\n";
				}
			}
			echo "<div class=\"additional_info\">" . $blog['description'] . "</div>\r\n";
			echo "</li>";
		}
		echo "</ul>\r\n";
	}
	echo "</div>\r\n";
}
    mattyrob

    (@mattyrob)

    9 years, 12 months ago

    @careb,

    Thanks for posting your code amendments, I’ll compare them to the current code and if they maintain current behaviour I’ll incorporate this into a future version of Subscribe2.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘MU & Subscribe 2: anyone can access locked site from "Your Subscriptions"’ is closed to new replies.

Tags