I have cloned the newpost.ascx web part to my own web part and made some changes.

I set the visibility to "display to roles" to two roles so that it's not visible to the anonymous user. I made sure that the anonymous user is not in either of those roles.

I set the security in all of my forums for posting and replying to "authenticated users only".

I added a line to the event handler to prevent unauthenticated posting.

    protected void btnOK_Click(object sender, EventArgs e)
    {
        #region "Security"

        // Check whether forum exists
        if (ForumContext.CurrentForum == null)
        {
            return;
        }

        //check whether user is authenticated
        //surroundhealth customization
        if (!CMSContext.IsAuthenticated())
        {
            return;
        }

The built in Kentico security logic is still in place:

        // Check security
        bool securityCheck = true;
        switch (ForumContext.CurrentState)
        {
            case ForumStateEnum.NewThread:
                securityCheck = IsAvailable(ForumContext.CurrentForum.DataClass.DataRow, ForumActionType.NewThread);
                break;
            case ForumStateEnum.ReplyToPost:
                securityCheck = IsAvailable(ForumContext.CurrentForum.DataClass.DataRow, ForumActionType.Reply);
                break;
            case ForumStateEnum.EditPost:
                securityCheck = ForumContext.CurrentPost != null && IsAvailable(ForumContext.CurrentPost.DataClass.DataRow, ForumActionType.Edit);
                break;
        }

        if (!securityCheck)
        {
            lblError.Visible = true;
            lblError.Text = ResHelper.GetString("ForumNewPost.PermissionDenied");
            return;
        }

But some hackers are still posting to the forum without having authenticated.

Why aren't the Kentico permissions taking effect?

Does anyone else see how hackers are posting to my forum?