1. Forum
  2. FidoNet
  3. SYNC SYSOPS

  • Read Mail loadable module: No way to read other user's personal mail/s

    From Eric Oulashin@1:103/705 to GitLab issue in main/sbbs on Wed Feb 8 19:14:58 2023
    open https://gitlab.synchro.net/main/sbbs/-/issues/513

    I noticed this while working with my message reader (DDMsgReader.js).For sysops, when deleting a user with the UEDIT command, Synchronet gives you the option to read that user's incoming/sent email. When using the "Read mail" loadable module, it appears there's no way to open another user's incoming/sent mail. For the 2nd command-line argument, Synchronet seems to always passe the current user number. Also I'm not sure if there is a way to open another user's mail (I've always used the "mail" sub-board code, and that would open my own email).
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 19:27:50 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3187

    I accidentally clicked the "create merge request" button.. I deleted the branch it created.
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 23:04:16 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3188

    I think this is a problem with your DDMsgReader.js.I tried this (reading a user's mail while deleting the user with ;uedit) using msglist.js as the Read Mail module and it worked as expected.Additionally, I confirmed that the 2nd argument passed to the Read Mail module from the user editor is indeed the user being edited/deleted.
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Wed Feb 8 23:45:04 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3191

    I think you're doing something wrong in your debug output.I just added one line to my msglist.js:`log("argv = " + JSON.stringify(argv, null, 4));`... and when deleting user #832, this is logged, as expected:> <Digital Man> argv = [ "mail", "-preview", "0", "832", "0"]This is with msglist.js configured in SCFG->System->Loadable Modules->Read Mail set to``Read Mail Command: msglist mail -preview``
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab issue in main/sbbs on Thu Feb 9 09:18:38 2023
    close https://gitlab.synchro.net/main/sbbs/-/issues/513
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Eric Oulashin@1:103/705 to GitLab note in main/sbbs on Thu Feb 9 09:26:38 2023
    https://gitlab.synchro.net/main/sbbs/-/issues/513#note_3196

    My debug output was just this:console.print(argv);That was outputting 0,1,0 for Read Mail.However, I think the issue may have been a misunderstanding on my part, or something weird going on. Recently I noticed my Last Callers list showed someone logged in with the handle "admin". I hadn't seen that before and wanted to delete that account, and that's when it was showing it passed user number 1 to the loadable module script. I tried again just now, and when I edit "admin" it now shows my account (which makes sense).My log from yesterday shows this:N! Warning: same IP address as user #85 olafN New user: admin FAILED Password verification Created user record #73: adminX- running external Avatar Chooser: user eventN+ Successful new user logon++ (0073) admin Logon 1358 - 1X- running external BullsEye! Bulletins: user eventX- running external Door Scan: user event 1 2, ,LX- running external Synchronet BBS List: program@- 09:50a T: 21 R: 0 P: 0 E: 0 F: 0 U: 0k 0 D: 0k 0It makes sense that Synchronet would consider "admin" to be me, but it seems that someone was able to create a new user account with the name/handle as "admin".
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Gamgee@1:103/705 to Eric Oulashin on Thu Feb 9 18:15:00 2023
    Eric Oulashin wrote to GitLab note in main/sbbs <=-

    <SNIP>

    It makes sense that Synchronet would consider "admin" to be me,
    but it seems that someone was able to create a new user account
    with the name/handle as "admin".

    Strange, that shouldn't be possible assuming "admin" is in your ../text/name.can file (it is there by default).


    ... If it weren't for Edison we'd be using computers by candlelight
    --- MultiMail/Linux v0.52
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)