Page MenuHomeGitPull.it

Fix broken access control in Calendar edit page
Closed, ResolvedPublic

Description

During some recent changes, I've discovered that if a standard registered user was visiting this URL:

https://atlas.landscapefor.eu/calendar-edit.php?poi_ID=16298

Everything was OK. There was a check to verify if the user has enough permissions:

// no edit privileges no party
if( !$poi->canEditPOICalendar() ) {
    die_asking_for_permissions();
}

But the issue that, if a standard registered user visits this page:

https://atlas.landscapefor.eu/calendar-edit.php?id=151

That registered user is able to edit the calendar because the page was not checking user privileges.

This is a Security issue.

Revisions and Commits

Event Timeline

valerio.bozzolan renamed this task from If someone knows a Calendar ID, that user is able to edit that Calendar to Fix broken access control in Calendar edit page.Fri, Jun 11, 08:29
valerio.bozzolan triaged this task as Unbreak Now! priority.
valerio.bozzolan created this task.
valerio.bozzolan created this object with visibility "Subscribers".
valerio.bozzolan created this object with edit policy "Subscribers".
valerio.bozzolan closed this task as Resolved by committing Restricted Diffusion Commit.Fri, Jun 11, 08:31
valerio.bozzolan added a commit: Restricted Diffusion Commit.
valerio.bozzolan changed the visibility from "Subscribers" to "Public (No Login Required)".Fri, Jun 11, 08:31
valerio.bozzolan changed the edit policy from "Subscribers" to "All Users".

Fixed. This can be public now.