What steps will reproduce the problem?
1. Edit a permission (either on password or template)
2. Use a tool to tamper the request data when saving before it is sent to
server, changing the access level to something other than READ/WRITE/GRANT yet
is still <= 5 characters long.
3. It saves this bogus access level into the database without validating it,
and creates
What is the expected output? What do you see instead?
1. The server should validate the access level is a valid one, and throw an
error and not update the database if it isn't.
Original issue reported on code.google.com by joshdrum...@gmail.com on 4 Dec 2010 at 12:43
Original issue reported on code.google.com by
joshdrum...@gmail.com
on 4 Dec 2010 at 12:43