Page MenuHomeGitPull.it
Create Task
Maniphest T848

Fix broken access control in Calendar edit page
Closed, ResolvedPublic
Actions

Description

During some recent changes, I've discovered that if a standard registered user was visiting this URL:

https://atlas.landscapefor.eu/calendar-edit.php?poi_ID=16298

Everything was OK. There was a check to verify if the user has enough permissions:

// no edit privileges no party
if( !$poi->canEditPOICalendar() ) {
    die_asking_for_permissions();
}

But the issue that, if a standard registered user visits this page:

https://atlas.landscapefor.eu/calendar-edit.php?id=151

That registered user is able to edit the calendar because the page was not checking user privileges.

This is a Security issue.

Revisions and Commits

Restricted Diffusion Commit

Related Objects
Search...

Event Timeline

valerio.bozzolan renamed this task from If someone knows a Calendar ID, that user is able to edit that Calendar to Fix broken access control in Calendar edit page.Jun 11 2021, 08:29
valerio.bozzolan triaged this task as Unbreak Now! priority.
valerio.bozzolan created this task.
valerio.bozzolan created this object with visibility "Subscribers".
valerio.bozzolan created this object with edit policy "Subscribers".
valerio.bozzolan closed this task as Resolved by committing Restricted Diffusion Commit.Jun 11 2021, 08:31
valerio.bozzolan added a commit: Restricted Diffusion Commit.
valerio.bozzolan changed the visibility from "Subscribers" to "Public (No Login Required)".Jun 11 2021, 08:31
valerio.bozzolan changed the edit policy from "Subscribers" to "All Users".

Fixed. This can be public now.

valerio.bozzolan updated the task description. (Show Details)Jun 11 2021, 08:32
valerio.bozzolan moved this task from Incoming to Testing on the AtlasFor board.Dec 2 2021, 10:02
Public contents are in Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) or GNU Free Documentation License (at your option) unless otherwise noted. · Contact / Register