Unauthorized read, post and delete messages in project discussion #124

xiaoyinl · 2018-03-23T05:52:03Z

For example, if user1 creates a project and invites some users into this project. User2 is not in this project. If user2 visits http://127.0.0.1/librarian/discussion.php?project=1 directly, he gets "Error! You are not authorized to see this project." But if user2 visits http://127.0.0.1/librarian/ajaxdiscussion.php?project=1&read=1, he is able to read the messages for this project. Similarly user2 can use project=1&delete=1 to delete all messages, and project=1&newmessage=... to post new messages.

The bug is in ajaxdiscussion.php. Unlike discussion.php, ajaxdiscussion.php doesn't check if the current user is in the specified project.

The text was updated successfully, but these errors were encountered:

xiaoyinl changed the title ~~Unauthorized read, post and delete messages in arbitrary projects~~ Unauthorized read, post and delete messages in project discussion Mar 23, 2018

mkucej self-assigned this Mar 23, 2018

mkucej added the bug label Mar 23, 2018

mkucej added a commit that referenced this issue Mar 23, 2018

unauthorized project discussion bug #124

9cc2263

mkucej closed this as completed Apr 2, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unauthorized read, post and delete messages in project discussion #124

Unauthorized read, post and delete messages in project discussion #124

xiaoyinl commented Mar 23, 2018

Unauthorized read, post and delete messages in project discussion #124

Unauthorized read, post and delete messages in project discussion #124

Comments

xiaoyinl commented Mar 23, 2018