oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed a security problem allowing post edits

Browse source
This commit is contained in:
JT Smith 2003-11-17 01:19:57 +00:00
parent e69e464721
commit 065e6a0cd1
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/changelog/5.x.x.txt
View file

@ -31,6 +31,8 @@
- Updated the German translation. (Thanks to Andreas Graf.) - Updated the German translation. (Thanks to Andreas Graf.)
- Fixed a security problem where users could access a forum they didn't have - Fixed a security problem where users could access a forum they didn't have
privileges to view if they created a specific URL. privileges to view if they created a specific URL.
- Fixed a security problem where users could edit a forum post they didn't
create if they generated a proper URL.
5.5.0 5.5.0

2
lib/WebGUI/Forum/UI.pm
View file

@ -1921,7 +1921,7 @@ sub www_postSave {
} }
if ($session{form}{forumPostId} > 0) { # edit if ($session{form}{forumPostId} > 0) { # edit
my $post = WebGUI::Forum::Post->new($session{form}{forumPostId}); my $post = WebGUI::Forum::Post->new($session{form}{forumPostId});
return WebGUI::Privilege::insufficient unless ($post->getThread->getForum->canPost); return WebGUI::Privilege::insufficient unless ($post->canEdit);
if ($post->getThread->getForum->get("addEditStampToPosts")) { if ($post->getThread->getForum->get("addEditStampToPosts")) {
$postData{message} .= "\n\n --- (".WebGUI::International::get(1029)." " $postData{message} .= "\n\n --- (".WebGUI::International::get(1029)." "
.WebGUI::DateTime::epochToHuman(WebGUI::DateTime::time())." ".WebGUI::International::get(1030) .WebGUI::DateTime::epochToHuman(WebGUI::DateTime::time())." ".WebGUI::International::get(1030)