Ticket #213 (closed defect: fixed)

Opened 18 months ago

Last modified 18 months ago

ShowChat doesn't check authorization of chats shown

Reported by: winfried Owned by: winfried
Priority: P2 Milestone: Book environment
Component: intranet Version: 3.0
Severity: blocker Keywords:
Cc:

Description

By editing the conv_id number in the link like this: /ShowChat?conv_id=2, you can get access to any arbitrary chatconversation when you are logged in (privilege escalation)

Change History

Changed 18 months ago by winfried

  • owner changed from winfried@… to winfried
  • status changed from new to assigned

Changed 18 months ago by winfried

  • status changed from assigned to closed
  • resolution set to fixed

(In [1147]) Adding authorization to ShowChat?.py. closes #213

Note: See TracTickets for help on using tickets.