• Read Mail loadable module: No way to read other user's personal mail/s

    From Eric Oulashin@1:103/705 to GitLab issue in main/sbbs on Wed Feb 8 19:14:59 2023
    open https://gitlab.synchro.net/main/sbbs/-/issues/513

    I noticed this while working with my message reader (DDMsgReader.js).For sysops, when deleting a user with the UEDIT command, Synchronet gives you the option to read that user's incoming/sent email. When using the "Read mail" loadable module, it appears there's no way to open another user's incoming/sent mail. For the 2nd command-line argument, Synchronet seems to always passe the current user number. Also I'm not sure if there is a way to open another user's mail (I've always used the "mail" sub-board code, and that would open my own email).
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 19:27:51 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3187

    I accidentally clicked the "create merge request" button.. I deleted the branch it created.
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 23:04:16 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3188

    I think this is a problem with your DDMsgReader.js.I tried this (reading a user's mail while deleting the user with ;uedit) using msglist.js as the Read Mail module and it worked as expected.Additionally, I confirmed that the 2nd argument passed to the Read Mail module from the user editor is indeed the user being edited/deleted.
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 23:23:37 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3190

    Ehen deleting a user, I had tried having my loadable module output argv and the 2nd parameter was 1. Is that not the user number of the sysop (me)? Is that yhe expected behavior? If so, I'm not clear on how the loadable module is intended to know which user to use.
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 23:45:05 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3191

    I think you're doing something wrong in your debug output.I just added one line to my msglist.js:`log("argv = " + JSON.stringify(argv, null, 4));`... and when deleting user #832, this is logged, as expected:> <Digital Man> argv = [ "mail", "-preview", "0", "832", "0"]This is with msglist.js configured in SCFG->System->Loadable Modules->Read Mail set to``Read Mail Command: msglist mail -preview``
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab issue in main/sbbs on Thu Feb 9 09:18:39 2023
    close https://gitlab.synchro.net/main/sbbs/-/issues/513
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab note in main/sbbs on Thu Feb 9 09:26:38 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3196

    My debug output was just this:console.print(argv);That was outputting 0,1,0 for Read Mail.However, I think the issue may have been a misunderstanding on my part, or something weird going on. Recently I noticed my Last Callers list showed someone logged in with the handle "admin". I hadn't seen that before and wanted to delete that account, and that's when it was showing it passed user number 1 to the loadable module script. I tried again just now, and when I edit "admin" it now shows my account (which makes sense).My log from yesterday shows this:N! Warning: same IP address as user #85 olafN New user: admin FAILED Password verification Created user record #73: adminX- running external Avatar Chooser: user eventN+ Successful new user logon++ (0073) admin Logon 1358 - 1X- running external BullsEye! Bulletins: user eventX- running external Door Scan: user event 1 2, ,LX- running external Synchronet BBS List: program@- 09:50a T: 21 R: 0 P: 0 E: 0 F: 0 U: 0k 0 D: 0k 0It makes sense that Synchronet would consider "admin" to be me, but it seems that someone was able to create a new user account with the name/handle as "admin".
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Gamgee@1:103/705 to Eric Oulashin on Thu Feb 9 18:15:00 2023
    Eric Oulashin wrote to GitLab note in main/sbbs <=-

    <SNIP>

    It makes sense that Synchronet would consider "admin" to be me,
    but it seems that someone was able to create a new user account
    with the name/handle as "admin".

    Strange, that shouldn't be possible assuming "admin" is in your ../text/name.can file (it is there by default).


    ... If it weren't for Edison we'd be using computers by candlelight
    --- MultiMail/Linux v0.52
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)