evaldofelipe / tracmor

Automatically exported from code.google.com/p/tracmor
GNU General Public License v2.0
0 stars 0 forks source link

User access restrictions not always enforced #60

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Create a user role that has the Assets module enabled, but does not have
access to edit or delete any assets.
2. Assign a user to the user role you just created.
3. Log in as the user, and modify the url to: [host]/assets/asset_edit.php

What is the expected output? What do you see instead?
The user should not be able to save assets in Tracmor. Instead we see that
the Save button appears and the user is able to save data.

Original issue reported on code.google.com by jsincl...@gmail.com on 27 Apr 2009 at 9:39

GoogleCodeExporter commented 8 years ago
Hardcoding URLs is a vulnerability in a lot of different areas. Many times we 
decided
to simply hide shortcut menu options, edit buttons, asset records, rather than 
check
during the action that the user is implementing. GUI Enforcement rather than
application level is fairly common, and implementing a fix would be a 
significant
project.

Original comment by hunterje...@gmail.com on 6 May 2009 at 1:15

GoogleCodeExporter commented 8 years ago
Deferring for now.  Will revisit in the future.

Original comment by jsincl...@gmail.com on 6 Jun 2009 at 1:22

GoogleCodeExporter commented 8 years ago

Original comment by jsincl...@gmail.com on 6 Jun 2009 at 1:22