MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004632ATutorModulespublic2010-11-29 19:062011-08-29 14:11
Reporterharris 
Assigned Togreg 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version2.0.3 
Summary0004632: privilege control needed for create album in photo album module
DescriptionIn create_album.php,there is no privilege checks, which allows anyone to create photo albums. Same for addComment.php.


Suggested solution:
Add authenticate(AT_PRIV_PHOTO_ALBUM); to the beginning of the code.
TagsNo tags attached.
Affects versionSVN
SVN Revision#11388
Attached Files

- Relationships

-  Notes
(0004750)
harris (developer)
2010-11-29 19:27

same for profile_album.

Can't use authenticate because it allows instructors only. We want restrictions on registered members.

Use the following:

//quit if this is not a member
if(!(isset($_SESSION['member_id']) && $_SESSION['member_id'] > 0)){
    $msg->addError('ACCESS_DENIED');
    header('Location: index.php');
    exit;
}
(0004751)
harris (developer)
2010-11-29 19:39

I notice "$_user_location = 'public';" is now in every photo album file. This allowed public access by default. In other words, ATutor does not stop non-registered users to access any 'user_location=public' pages unless the photo album module handles it itself.
(0004752)
harris (developer)
2010-11-29 19:46

svn: 10424

Added the suggested member_id check. However, I don't think this is the best way to address this problem. Pages probably should not by pass the ATutor default user_location check by setting all pages to public. Instead, it should probably have interface pages(_mystart.php,_public.php) that called upon the include pages (ini.php). The $_user_location should then be added in the interface pages, and lets ATutor vitals to handle authentication instead of adding user checks manually into the module.
(0004758)
harris (developer)
2010-12-02 12:45

make a patch for this.
(0005207)
greg (administrator)
2011-08-23 11:24

added $_SESSION['is_admin'] around create course album so it won't appear for students
(0005286)
greg (administrator)
2011-08-29 14:11

2.0.3 bugs resolved and closed round 2

- Issue History
Date Modified Username Field Change
2010-11-29 19:06 harris New Issue
2010-11-29 19:06 harris Affects version => SVN
2010-11-29 19:27 harris Note Added: 0004750
2010-11-29 19:39 harris Note Added: 0004751
2010-11-29 19:46 harris Status new => resolved
2010-11-29 19:46 harris Resolution open => fixed
2010-11-29 19:46 harris Assigned To => harris
2010-11-29 19:46 harris Note Added: 0004752
2010-12-02 12:45 harris Status resolved => feedback
2010-12-02 12:45 harris Resolution fixed => reopened
2010-12-02 12:45 harris Note Added: 0004758
2011-07-18 16:43 greg Status feedback => assigned
2011-08-23 11:24 greg SVN Revision# => 11388
2011-08-23 11:24 greg Note Added: 0005207
2011-08-23 11:24 greg Status assigned => resolved
2011-08-23 11:24 greg Fixed in Version => 2.0.3
2011-08-23 11:24 greg Resolution reopened => fixed
2011-08-23 11:24 greg Assigned To harris => greg
2011-08-29 14:11 greg Note Added: 0005286
2011-08-29 14:11 greg Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker