Security Improvement for approving events with HTTP POST

hpi-swt2 / event-und-raumplanung

Ein Tool das die interne Planung von Events verbessern soll und dabei besonderen Fokus auf die Zuteilung von Räumen und Ausstattung legt.

GNU Affero General Public License v3.0

10 stars 5 forks source link

Security Improvement for approving events with HTTP POST #334

Open jaSunny opened 9 years ago

jaSunny commented 9 years ago

Reproduction:

User A creates simple event -> event shows up in the requested events page (as not approved)
User B logs in and performs a POST against User A's event route (/events/3/approve) -> event is now approved

It seems that there are no security checks on the approve/reject actions. Since the POST cannot be performed via the UI as the page is not accessible to User B this is rather low prio at the moment

Prio medium..