Moderators can access PMs that they are not invited to

(cpradio) #1

Continuing the discussion from Impersonation and reading private messages:

As stated in the above, moderators, who are not allowed to impersonate other users, can access other user’s PMs by altering the URL.

(Jeff Atwood) #2

@neil can you put in a “saving throw” check for this when PMs are loaded to make sure moderators can only see PMs they are in the permission list for?

(Neil Lalonde) #3

I plugged that hole today. The guardian code needed to forbid moderators from seeing all PMs, so that should catch any other cases we might have missed.

"Requires attention" PMs are not visible to new mods
(Jeff Atwood) #4

This topic was automatically closed after 24 hours. New replies are no longer allowed.