[2.0] Query error when not logged on

[thierryve]

Hi,

In, for example, the login controller all function that preform a save action (maked by methodname_action) have no auth check.

Some of that action don't need this check because it is accessible for all users but this is not the case with editUsername_action.

If you post the right parameters, when not logged on, to the url (login/editUsername_action) the action will fail on a query error because the user_id is not set in the session

In my opinion the Auth::handleLogin(); needs to be added. What do you guys think?

Greetz

[panique]

Thanks! Just to clarify: afaik this is not a security issue, as it does not allow to change the username or similar by anyone else, as every user-specific action needs that user to be logged in (have a valid session with that username/id). I just got a little bit panic... :)

It's more a bad architechture thing. I'll look into that when there's time. Thanks for the very useful report!

[thierryve]

I didn't mean to scare you :D Changed the title of the issue because it is idd not a direct security issue but more a bad architechture thing.

[panique]

Fixed in develop branch! Thanks for the report!