Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent subscribing to private lists #559

Merged
merged 4 commits into from Jun 12, 2019

Conversation

Projects
None yet
4 participants
@xh3n1
Copy link
Member

commented Jun 11, 2019

Description

There was no check if the list is private or not when users subscribe/update preferences.
I created a function that determines if the list is private or not. Additional test is needed.

Related Issue

TBA

xh3n1 added some commits Jun 10, 2019

Created function that checks if list is private
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Do not allow subscribing to private lists
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Update doc
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>

@xh3n1 xh3n1 requested review from suelaP, samtuke and michield Jun 11, 2019

@@ -245,7 +245,7 @@
if (isset($_POST['list']) && is_array($_POST['list'])) {
foreach ($_POST['list'] as $key => $val) {
if ($val == 'signup') {
if ($val == 'signup' && !isPrivateList($key)) { // make sure that the list is private

This comment has been minimized.

Copy link
@michield

michield Jun 12, 2019

Member

I think you mean
// make sure that the list is not private

This comment has been minimized.

Copy link
@xh3n1

xh3n1 Jun 12, 2019

Author Member

yes ;)

* @param int $listid
* @return bool
*/
function isPrivateList($listid) {

This comment has been minimized.

Copy link
@michield

michield Jun 12, 2019

Member

This gets called three times per list in the code below. I wonder if it makes sense to cache the results in the session to avoid at least two queries per list.

I know that Mysql caches results as well, so it may not be necessary,

This comment has been minimized.

Copy link
@xh3n1

xh3n1 Jun 12, 2019

Author Member

I am not sure about that.

This comment has been minimized.

Copy link
@xh3n1

xh3n1 Jun 12, 2019

Author Member

@michield just to clarify: one of it is called when you subscribe and the other one when you update preferences.

This comment has been minimized.

Copy link
@michield

michield Jun 12, 2019

Member

fair enough. I guess we can deal with that later, as Sam points out.

Fix typo
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
@suelaP

suelaP approved these changes Jun 12, 2019

@samtuke

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

Merging this in order to make the 3.4.3 release. My rationale is that the multiple-calls are a performance issue, which is secondary to the security issue. Caching can be added in a separate PR.

@samtuke samtuke merged commit fc1b12a into master Jun 12, 2019

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.