vanderaj / gaiabb Goto Github PK

What steps will reproduce the problem?
1. Log in as admin
2. Go to Admin CP
3. Select Cleaning Tools -> Fix Orphaned Favorites

What is the expected output? What do you see instead?
Should show confirmation box with Yes or No buttons. Won't show up.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

User Story
Settings table has maximum value set to 200. Board Rules and Admin Notes 
are include in this table so rules and notes can be only 200 characters 
and it's not enough. 

Constraints
Other settings should be at 200 vars limit.

Tests

Action

User Story

The Close Inactive Threads tool is very basic. Add a forum list like Prune 
Threads tool.

Constraints

Only super | administrators should be able to see this tool. Therefore, forum 
restrictions do not 
apply to this tool.

If this tool was to become a moderation tool, forum restrictions would have to 
apply. 

Tests

Ensure that only valid forums are allowed.
Test for invalid forum values (-z, -1, 0, non-existant forum ID)

Action

What steps will reproduce the problem?
1. Log in
2. Go to topic with poll
3. In browser open new tab with same topic
4. Vote in first tab
5. Vote in second tab

What is the expected output? What do you see instead?
Should give a vote and show results and in second tab should give error. 
Using this cheat you can vote forever and you can see the results only 
when logged out or using other account.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.
Old bug from XMB

What steps will reproduce the problem?
1. Make sure your logged out
2. Go to Index
3. Choose Who's online

What is the expected output? What do you see instead?
One header and error message. Two faulty headers.

Please use labels and text to provide additional information.
Added screenshot

What steps will reproduce the problem?
1. With debug enabled, Go to admin/cp_general.php
2. See the strict warning for inactiveusers

L255: printsetting2($lang['inactiveusers'], 'inactiveusersnew', 
$CONFIG['inactiveusers'], 3);

What is the expected output? What do you see instead?

Inactive Users needs to exist. It should be set to zero (0) by default for 
safety. 

Please use labels and text to provide additional information.

What steps will reproduce the problem?
NB! Flood control must be turned on 

1. Log in 
2. Go to topic and post
3. Post again before flood control time runs out

What is the expected output? What do you see instead?
Error message/notice and redirection back to topic. I see only error message 
and no redirection

What version of the product are you using? On what operating system?
Revision 26

Please provide any additional information below.
Is it possible after redirecting back to topic quick-reply box restores text 
you have inserted or is 
it to complicated?

What steps will reproduce the problem?
1. Log in
2. Go to UserCP
3. Choose Change Password
4. Insert current pass
5. Insert new password
6. Insert new password with mistake

What is the expected output? What do you see instead?
Expected output is seen in picture one (on left side UserCP tools and from 
center to right side error message). I see picture two (no UserCP tools on 
left, only error message) and no redirection back to UserCP/Change Password

What version of the product are you using? On what operating system?
Revision 14

Please provide any additional information below.

What steps will reproduce the problem?
1. Enter something like <username> or similar in a quick reply or post 
2. Submit the post

What is the expected output? What do you see instead?

To show the <username> with &lt; and &gt; on screen (thus de-fanging output)

It's safe now, but wrong. Probably best to remove strip tags altogether. 

When logging out and token code is already took, then error page is faulty. 
Added picture!

Logout link is from viewonline.php

User Story

Import the XMB installer.

Constraints

- Make it look like GaiaBB
- Make it work with our DB layer

Tests

Must install from scratch with no errors
Must upgrade XMB 1.9.11 to GaiaBB 1.0 with no errors

Action

What steps will reproduce the problem?
1. Go to topic where banned user has posted
2. Click Printable button(text)

What is the expected output? What do you see instead?
Should not show text what banned member has posted. Does show a banned members 
post.

Please use labels and text to provide additional information.

What steps will reproduce the problem?
1. Log in
2. Go to User CP
3. Choose Change Password and change it

What is the expected output? What do you see instead?
No post message is shown. Password in database will be changed. Added 
picture.


What version of the product are you using? On what operating system?
Revision 8

Please provide any additional information below.

User Story
Because there is no ModCP and i don't see much point of this feature, maybe 
this should be removed.

Action
Remove from DB and from cp_general

What steps will reproduce the problem?
1. Log in
2. Go to UserCP 
3. Choose Avatars
4. Click Change Avatar without selecting any

What is the expected output? What do you see instead?
Should show error message with UserCP on the left side and should redirect 
back to Avatars or UserCP. Added screenshot

What version of the product are you using? On what operating system?
Revision 14

Please provide any additional information below.

What steps will reproduce the problem?
1. Log in as user
2. Report a post
3. Send

What is the expected output? What do you see instead?
Should recieve one PM but recieves two exact copies.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

What steps will reproduce the problem?
1. Turn Duplicate e-mail status ON
2. Register 2 or more users with same e-mail
3. Try to recover all those users password

What is the expected output? What do you see instead?
Every user with same e-mail should have reset password. Only first user 
with this e-mail can reset password. Others have error: "Username and e-
mail wrong".

What version of the product are you using? On what operating system?
Revision27

Please provide any additional information below.

User Story

Currently, GaiaBB uses an old robots (user agents) list. Update the list to be 
as modern as 
possible. 

Constraints

Drop off non-robotic UA's
Ensure remaining UA's do not have prohibited characters

Tests

TBA

Action

What steps will reproduce the problem?
1. Log in as admin
2. Go to Admin CP 
3. Change RPG acitvity status to OFF under General Settings 
4. Go to User CP and change RPG status to ON

What is the expected output? What do you see instead?
RPG activity isn't showed in threads. Should show RPG acitivity in threads

Please use labels and text to provide additional information.
Revision 33
Like I understand, when turning this feature OFF in Admin CP, it should 
change DEFAULT setting to OFF, but when user changes his profile to show 
it, it should show. Am I wrong?

What steps will reproduce the problem?
1. Log in as admin
2. Go to Admin CP
3. Send newsletter to EMAIL

What is the expected output? What do you see instead?
Excpected output should be:

Tere armas meeskond,
vabandan spämmi eest, kuid testin kahte olulist asja!
Lugupidamisega,

Voldemar Kuslap.

I see: 

Tere armas meeskond,rnvabandan spämmi eest, kuid testin kahte olulist
asja!rnLugupidamisega,rnrnVoldemar Kuslap.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

What steps will reproduce the problem?
1. Log in
2. Go to PM
3. Create some new folders
4. You need to have sent messages in your Outbox. If you dont, then send 
some. 
5. Go to Outbox, select all or some messages and move them to created 
folder.

What is the expected output? What do you see instead?
You should see messages in created folder, but you will only see number 
behind folder name and folder itself stays emtpy.
Should give error that sent messages cannot be moved!

What version of the product are you using? On what operating system?
Revision 14

Please provide any additional information below.
Added screenshot

What steps will reproduce the problem?
1. Login as admin
2. Go to Admin CP
3. Select Moderation Tools -> Close Inactive Threads

What is the expected output? What do you see instead?
Should close topics in selected fids. Will cause database error. Added 
screenshot

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

What steps will reproduce the problem?
1. Log in as admin
2. Change some forums theme different from default
3. Go to this forum after saving changes

What is the expected output? What do you see instead?
Should change theme. You must hop different places in this forum (reply -> 
back to the forum -> new reply) before it changes to selected theme.

What version of the product are you using? On what operating system?
Revision 14

Please provide any additional information below.
When logged out, no theme changes!!!
Probably related with cookies.

What steps will reproduce the problem?
1. Log in as admin
2. Go to Admin CP
3. Choose Cleaning Tools -> Fix Orphaned Posts

What is the expected output? What do you see instead?
Should show confirmation box with Yes or No buttons. Won't show up.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

User Story

Students using XO should be able to sign on to GaiaBB using their Moodle 
account without re-
typing a credential.

Constraints

The first user of the GaiaBB forum will be the administrator, as with the XS 
Moodle install. 
Moodle admins are GaiaBB super admins. Users are not provisioned until they 
visit. 

Tests

Action

What steps will reproduce the problem?
1. Go to UserCP -> Options
2. Change the language and tamper with the POST
3. Change the langfile to whatever you want. 

It's not validated. This is replicated throughout the code. 

What is the expected output? What do you see instead?

Only installed language files should be able to be saved in the database 
record. If the language file 
doesn't exist, English should be chosen (it's required for many reasons). 
Consider the use of a RARM 
and ensure that when the first someone is trying to use a non-existing file, 
all database choices are 
validated and returned to English if that choice doesn't exist. 

It is possible to choose a non-installed file, and possibly cause a local file 
include (or worse, a remote 
file include) issue with this code. 

User Story

Some tools take a long time, particularly on large boards. 

Create an Ajax progress bar for these tools, and figure out how to get a 
reasonable status from 
them rather than just timing out. 

Constraints

IE 7+, Firefox 3+, Safari 3+

Tests

Action

User Story

Currently, the board will ALWAYS e-mail the administrator when a database 
panic. This should 
be configurable, as not every host has correctly configured SMTP. 

Constraints

TBA

Tests

TBA

Action

Change this code in mysql5php5.class.php, lines 143 - 148. 

        // TODO: make this configurable as not every host has mail configured
        // TODO: make this use the SMTP classes, if possible
        if ( isset($CONFIG['adminemail']) && isset($CONFIG['bbname']) ) 
        {
            mail($CONFIG['adminemail'], 'GaiaBB :: Database panic from '.$CONFIG['bbname'], 
$msg->getMessage() . "\r\n" . $this->conn->error );         
        }

What steps will reproduce the problem?
1. Log in
2. Go to UserCP
3. Choose Change Email

What is the expected output? What do you see instead?
Post message saying Your password has been changed. Nothing appears, no 
redirecting or loggout. Added screenshot.

What version of the product are you using? On what operating system?
Revision 14.

Please provide any additional information below.

What steps will reproduce the problem?
1. Log in as admin
2. Go to Admin CP
3. Select Forums -> Prune 
4. Select Prune by X days

What is the expected output? What do you see instead?
Should prune forums. Will cause database error.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

What steps will reproduce the problem?
1. Go to registration page
2. Fill all the forms
3. Click register

What is the expected output? What do you see instead?
Should show Successful registration text. Shows nothing.

Please use labels and text to provide additional information.
No email with password is sent!

User Story

Upgrade the members table to take longer salted SHA-256 password hashes. 
Upgrade all 
password handling code to handle the newer passwords.

The salt is a random six character blob of 0-255 values, and stored in a new 
"salt" column. 

If the salt is empty, the password is an older MD5 unsalted password and the 
old code paths 
should continue to work unchanged.

Constraints

Must remain compatible with older unsalted password hashes, but create new 
stronger hashes 
under all change password circumstances

Tests

Login with an old unsalted password
Login with a new salted password
Change password (userCP, edit profile and admin) must create a new salted 
password
Reset password must create a new salted password
Register user (anon & admin) must create a new salted password

Action

User Story

Add a feature that allows users to ignore another user. The ignore list must be 
maintainable by the 
user and the administrator. 

Constraints

Users cannot ignore themselves. 

Tests

Action

If you insert wrong password or username then template is not right. Addedd 
screenshot

Using latest revision (r8).

What steps will reproduce the problem?
1. Log in as admin
2. Change some forum settings to allow anonymous posting
3. Log out
4. Go to this forum and try to create new topic/poll

What is the expected output? What do you see instead?
Should be able to reply topics, but cannot. Should be able to create new 
topic/poll, but gives an error that anonymous posting is not allowed.

What version of the product are you using? On what operating system?
Revision 14

Please provide any additional information below.

What steps will reproduce the problem?
1. Go to Lost Password
2. Submit without inserting any data

What is the expected output? What do you see instead?
Error and redirection back to recovery part. No redirection. Added picture.

Please use labels and text to provide additional information.

What steps will reproduce the problem?
1. Do something not so nice with SQL
2. E-mail is sent to [email protected]

What is the expected output? What do you see instead?

E-mail should be sent to the board administrator. 

Enhancement - make it optional (add a new option to the board CP)

User Story

As the system has stopped anyway, and can't reproduce the user's chosen theme, 
it's best to have a 
really visual indication of badness. Change to prored for errors and panics at 
the database layer

Constraints

Tests

Action

What steps will reproduce the problem?
1. Go to registering page
2. Create new user but insert wrong veryfication code

What is the expected output? What do you see instead?
I see two headers without images. 

Please use labels and text to provide additional information.
Added image. Same bug when posting blank username and/or password!
Revision 27

What steps will reproduce the problem?
1. Create a filename with an apostrophe
2. Try to upload the filename
3. Database panic

What is the expected output? What do you see instead?

Filename to uploaded correctly.

Database panic.

What steps will reproduce the problem?
1. Top and or close a thread
2. View it
3. The topped and close checkboxes are not checked as per the thread's status

What is the expected output? What do you see instead?

The topped and closed checkboxes should be as per the thread. It should be 
possible to untick 
these as part of quick reply (and reply, too) and make that stick.

Please use labels and text to provide additional information.

What steps will reproduce the problem?
1. Go to register page
2. Post with blank information

What is the expected output? What do you see instead?
Error with no logo and two headers. 

Please use labels and text to provide additional information.
Revision 28

User Story

Constraints

Tests

Action

User Story

Currently, GaiaBB uses templates from the database. This requires the use of 
eval(), which is may 
lead to PHP remote execution. Each template needs to be converted into a file 
based template 
system.

Constraints

Ensure all templates are HTML 5 compliant 
Ensure all templates properly escape user supplied data (prevents XSS)

Tests

TBA

Action

What steps will reproduce the problem?
1. Go to admin/cp_faq.php
2. Change URL param fdetail or gdetail to a SQL injection
3. BLAM

What is the expected output? What do you see instead?

No SQL injection. SQL injection

What steps will reproduce the problem?
1. Log in as admin
2.  Go to Admin CP
3. Select Forums -> Prune

What is the expected output? What do you see instead?
Should show post message. Nothing is shown

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

What steps will reproduce the problem?
1. Log in as admin
2. Go to Admin CP
3. Select Cleaning Tools -> Fix Orphaned Subscriptions

What is the expected output? What do you see instead?
Should show confirmation box with Yes or No buttons. Won't show up.

What version of the product are you using? On what operating system?
Revision 10

Please provide any additional information below.

What steps will reproduce the problem?
1. Log in as a user
2. Click Report a post
3. Enter the subject line with a ' 
4. Error

What is the expected output? What do you see instead?

No error. 

Database panic error. 

What steps will reproduce the problem?
1. Certain parameters in pm.php are suscipitable to attribute based XSS
2. Change these parameters to a style based XSS
3. BLAM

What is the expected output? What do you see instead?

No XSS. XSS particularly with IE 6.0

User Story

The current layout is sucky. It would be best to move forum, member and other 
defaults closer to 
their own sections to avoid overloading the first three control panels. 

Constraints

Ensure that admins are the only folks allowed to change these settings. 
Consider adding 
Moderator roles to them, too.

Tests

TBA

Action