Closed manhinli closed 11 years ago
Done, You are right there is a security issue with this problem step to reproduce: if a normal user makes a ftp request to the server to edit their own profile and the request contains FormPartFive (Exec-only fields) then they can edit their own (Exec-only fields)
You mean if a normal user makes a manipulated POST to the server?
Yes, I've just tested that and verified that the hole exists. New issue #68.
yep got it
Type: Boolean Visible user and chapter execs Editable by chapter execs (via. Exec-only fields)
Similar to the "member is trained".