Mantis Bug Tracker

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000450ForumGeneralpublic2008-09-24 15:06
Reporteradministrator 
Assigned Toadministrator 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version0.6.7 
Target Version0.6.8Fixed in Version0.6.8 
Summary0000450: Security issue on the item_open procedure
DescriptionIn the security check we were checking that the user was a moderator OR that the user can open an thread or is a super admin

it should be
we check that (the user was a moderator AND that the user can open an thread) or is a super admin

Then we were passing the parent item id instead of the forum_id in the can_do call.
TagsNo tags attached.
Attached Files

- Relationships
child of 0000449resolvedadministrator Add item_open to forum_api 

-  Notes
~0001163
administrator (administrator)


Now the security stuff is ok

- Issue History
Date Modified Username Field Change
2008-09-24 15:05 administrator New Issue
2008-09-24 15:05 administrator Status new => assigned
2008-09-24 15:05 administrator Assigned To => administrator
2008-09-24 15:05 administrator Relationship added child of 0000449
2008-09-24 15:05 administrator Note Added: 0001163
2008-09-24 15:05 administrator Status assigned => resolved
2008-09-24 15:05 administrator Fixed in Version => 0.6.8
2008-09-24 15:05 administrator Resolution open => fixed