Closed o7n closed 2 years ago
Yes, you are right about these issues. In some cases it can also be useful.
for TeamMemberController->show() and TeamMemberController->invite()
if (!auth()->user()->teams->contains($team)) {
abort(403);
}
Therefore, if you are a member of several groups, you can see your friends and send invitations to new users. But for the invitation, I agree that this may be subjective, maybe someone does not mind that members can invite new members to the team of owner or vice versa
This issue is stale because it has been open for 30 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.
There are several security issues in the controller code. Three methods need
below the line
TeamMemberController->invite() has already been discussed in issue #53 and this could be subjective. However TeamController->update() does not check for ownership. Neither does TeamMemberController->show() so all members of a team are exposed to anyone.
I can understand that some people would want to allow the first and third case, but it would be better to make this secure-by-default where people who do want to allow it, can remove the check,