hackzilla-project / TicketBundle

Bundle provides multilingual ticketing functionality for Symfony applications.
http://hackzilla.org
MIT License
64 stars 43 forks source link

[Security] Hackzilla\Bundle\TicketBundle\Manager::hasPermission() result is ignored, meaning permissions are not checked and operation is always allowed #263

Closed thibaut-decherit closed 2 years ago

thibaut-decherit commented 2 years ago

Hackzilla\Bundle\TicketBundle\Manager::hasPermission() returns a boolean, but calls to that function do not attempt to use its result. They probably call it expecting it will throw an exception if access should not be granted (e.g. here), but it won't because said exception is caught and the function returns false instead.

hackzilla commented 2 years ago

Thank you, I'm not entirely sure how this passed me by.