Core: Tags, lastDiscussion relation does no permission check
Related to flagrow/byobu#44 ;
The Tag model has a relation to Discussions using the last_discussion_id, but it completely ignores any permission check as it's using the native Eloquent belongsTo relationship.
As a result any private discussion created last in any tag will have its title shown in the TagsPage. Luckily this page does not load the information using xhr, so no additional information is shared.
luceos
All 8 comments
I can pick up this issue if no one else is currently working on a fix?
MichaelDalyDev
on 10 Oct 2017
@michaeldalyuk Please do, and thanks for the offer! :smile:
franzliedke
on 10 Oct 2017
@michaeldalyuk that would be much appreciated, and that's a fat understatement 馃榿
luceos
on 11 Oct 2017
@franzliedke @luceos I have not been able to look at this issue as I am having issues trying to run Flarum on osx using Laravel's Valet environment. I seem to be getting a really poor performance with the browser constantly loading with no console or server errors.
I will try again later this week but wanted to keep you up to date.
MichaelDalyDev
on 18 Oct 2017
Hi @michaeldalyuk. Any progress with this? :smile:
franzliedke
on 9 Jan 2018
Hi @michaeldalyuk feel free to join us on discord if you need assistance. I'm running Flarum with Valet without any issues.
luceos
on 9 Jan 2018
@luceos I was not able to get it running so ended up moving onto other projects but I will give this another try and see if I can get it running. I will join you on discord if I have any issues and we can go through it together.
Speak soon.
MichaelDalyDev
on 1 Feb 2018
@luceos I managed to get set up without any issues.
I have a fix in place locally - will get a PR raised ASAP so you can review it.
MichaelDalyDev
on 1 Feb 2018
Related issues
jordanjay29
路
3Comments
jordanjay29
路
3Comments
ardacebi
路
4Comments
luceos
路
3Comments
luceos
路
4Comments
Most helpful comment
I can pick up this issue if no one else is currently working on a fix?