MantisBT - ATutor
View Issue Details
0004632ATutorModulespublic2010-11-29 19:062011-08-29 14:11
harris 
greg 
normalminoralways
closedfixed 
 
2.0.3 
SVN
11388
0004632: privilege control needed for create album in photo album module
In create_album.php,there is no privilege checks, which allows anyone to create photo albums. Same for addComment.php.


Suggested solution:
Add authenticate(AT_PRIV_PHOTO_ALBUM); to the beginning of the code.
No tags attached.
Issue History
2010-11-29 19:06harrisNew Issue
2010-11-29 19:06harrisAffects version => SVN
2010-11-29 19:27harrisNote Added: 0004750
2010-11-29 19:39harrisNote Added: 0004751
2010-11-29 19:46harrisStatusnew => resolved
2010-11-29 19:46harrisResolutionopen => fixed
2010-11-29 19:46harrisAssigned To => harris
2010-11-29 19:46harrisNote Added: 0004752
2010-12-02 12:45harrisStatusresolved => feedback
2010-12-02 12:45harrisResolutionfixed => reopened
2010-12-02 12:45harrisNote Added: 0004758
2011-07-18 16:43gregStatusfeedback => assigned
2011-08-23 11:24gregSVN Revision# => 11388
2011-08-23 11:24gregNote Added: 0005207
2011-08-23 11:24gregStatusassigned => resolved
2011-08-23 11:24gregFixed in Version => 2.0.3
2011-08-23 11:24gregResolutionreopened => fixed
2011-08-23 11:24gregAssigned Toharris => greg
2011-08-29 14:11gregNote Added: 0005286
2011-08-29 14:11gregStatusresolved => closed

Notes
(0004750)
harris   
2010-11-29 19:27   
same for profile_album.

Can't use authenticate because it allows instructors only. We want restrictions on registered members.

Use the following:

//quit if this is not a member
if(!(isset($_SESSION['member_id']) && $_SESSION['member_id'] > 0)){
    $msg->addError('ACCESS_DENIED');
    header('Location: index.php');
    exit;
}
(0004751)
harris   
2010-11-29 19:39   
I notice "$_user_location = 'public';" is now in every photo album file. This allowed public access by default. In other words, ATutor does not stop non-registered users to access any 'user_location=public' pages unless the photo album module handles it itself.
(0004752)
harris   
2010-11-29 19:46   
svn: 10424

Added the suggested member_id check. However, I don't think this is the best way to address this problem. Pages probably should not by pass the ATutor default user_location check by setting all pages to public. Instead, it should probably have interface pages(_mystart.php,_public.php) that called upon the include pages (ini.php). The $_user_location should then be added in the interface pages, and lets ATutor vitals to handle authentication instead of adding user checks manually into the module.
(0004758)
harris   
2010-12-02 12:45   
make a patch for this.
(0005207)
greg   
2011-08-23 11:24   
added $_SESSION['is_admin'] around create course album so it won't appear for students
(0005286)
greg   
2011-08-29 14:11   
2.0.3 bugs resolved and closed round 2