Closed nemesifier closed 11 years ago
This is caused by the lack of authorization rules in the configurations_controller. Actually that controller only performs authentication (via the :authenticate_user filter). Please refer to this for an example about acl9 authorization.
Here's the fix: https://github.com/nemesisdesign/OpenWISP-Geographic-Monitoring/commit/f348dc98c0536e1859f4b5d44a9ce5d119ddd8a0
We can either use cherry-pick or wait until the next pull request i'll send.
There is no need to hurry here. Take your time.
Fixed
Users with very low permission levels can access certain resources.
How to reproduce this issue:
The same applies to the user CRUD interface i'm developing now, that's how I discovered the issue. Any suggestions before I proceed to try some technical solution?