search

lwoods / wp-aec

Automatically exported from code.google.com/p/wp-aec
0 stars 0 forks source link

Security issue: Unauthorized users can edit events that do not belong to them #525

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Unauthorized users can edit events that do not belong to them. Typically, if 
TestUser-1 tries to edit an event that TestUser-2 created, you are presented 
with the notification of "You cannot edit events created by other users."

This rule is defined by a CSS class of "fc-event-disabled" that lives on a 
parent element. If you simply remove that class using Firebug/Chrome Developer 
Tools, you are then able to access the modal form that edits the event. 

Form editing should require server side validation.

Original issue reported on code.google.com by solut...@gmail.com on 15 Aug 2013 at 4:17

GoogleCodeExporter commented 8 years ago 
I am no longer able to update/support the Ajax Event Calendar plugin for 
`WordPress`. 

Alternative Free Calendar Plugins:
http://www.blazdesign.com/5-free-wordpress-calendar-plugins/

Original comment by eranmmil...@gmail.com on 19 Dec 2013 at 3:10