google-code-export / cpassman

Automatically exported from code.google.com/p/cpassman
0 stars 0 forks source link

Read only user can do all actions after modification of disabled attribute - e.g. using Firebug - for every action there should be server side verification #207

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Pre:
1. Firefox with firebug plugin

Act:
1. Login as read only user
2. Change the attribute of delete button , by removing disabled attribute.
3. Click the button.

Res:
1. Password is deleted.

NOTE:
1. The same regards other actions like deleting folders etc.
I assume it may regards much more actions since it looks like there is no 
server side right verification.

I'm professional tester, if you are interested I could cooperate with you on 
that project.

Original issue reported on code.google.com by mateusz....@gmail.com on 12 Dec 2011 at 3:48

GoogleCodeExporter commented 9 years ago
HI there,

Thanks for your very very usefull tests.

I'll improve that behaviors.

Note: of course I'm interested for any cooperation. I'll certainly contact you 
in order to define how to put in place something.

Thanks

Nils

Original comment by nils.cpa...@gmail.com on 12 Dec 2011 at 8:19

GoogleCodeExporter commented 9 years ago
Any update on this? I have readonly user still the ability to delete, edit and 
copy items. I need it so that readonly is just that- No ability to add, delete, 
edit or copy.

Original comment by hexxamil...@gmail.com on 17 Jan 2012 at 8:54

GoogleCodeExporter commented 9 years ago
Just checking if there is an update on this?

Original comment by hexxamil...@gmail.com on 4 Apr 2012 at 11:01

GoogleCodeExporter commented 9 years ago
Still not ... I've started working hard on security, and this check is planned 
;-)

Original comment by nils.cpa...@gmail.com on 6 Apr 2012 at 6:37

GoogleCodeExporter commented 9 years ago
Sorry to bump this, any update?

Original comment by linhqt...@gmail.com on 4 Jun 2012 at 1:55