oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed security hole where anyone could add events to anyone's existing badge

Browse source
This commit is contained in:
Frank Dillon 2006-05-22 22:55:31 +00:00
parent 5cb101af44
commit 755922fb57
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
View file

@ -2167,6 +2167,10 @@ sub www_addEventsToBadge {
my $bid = $self->session->form->process('bid') || 'none';
my $eventId = $self->session->form->process('eventId');
unless ($bid eq 'none') {
my ($userId,$createdByUserId) = $self->session->db->quickArray("select userId, createdByUserId from EventManagementSystem_badges where badgeId=".quote($bid));
unless($isAdmin || $userId eq $self->session->user->userId || $createdByUserId eq $self->session->user->userId) {
return $self->session->privilege->insufficient();
}
$self->session->scratch->set('EMS_add_purchase_badgeId',$bid);
my @pastEvents = $self->session->db->buildArray("select r.productId from EventManagementSystem_registrations as r, EventManagementSystem_purchases as p, transaction as t where r.returned=0 and r.badgeId=? and t.transactionId=p.transactionId and t.status='Completed' and p.purchaseId=r.purchaseId group by productId",[$bid]);
my $purchaseCounter = $self->session->form->process('purchaseCounter');