New security_check attribute for users

robogals / myrobogals

myRobogals is the global intranet and record-keeping tool for Robogals. It has been built to simplify many of our day-to-day tasks including organising school visits, maintaining a member database, communicating with members, storing records reliably for future generations and easily collecting statistics on a global scale.

https://my.robogals.org

10 stars 21 forks source link

New security_check attribute for users #66

Closed manhinli closed 11 years ago

manhinli commented 11 years ago

security_check

Type: Boolean Visible user and chapter execs Editable by chapter execs (via. Exec-only fields)

Similar to the "member is trained".

yfcheung commented 11 years ago

Done, You are right there is a security issue with this problem step to reproduce: if a normal user makes a ftp request to the server to edit their own profile and the request contains FormPartFive (Exec-only fields) then they can edit their own (Exec-only fields)

manhinli commented 11 years ago

You mean if a normal user makes a manipulated POST to the server?

Yes, I've just tested that and verified that the hole exists. New issue #68.

yfcheung commented 11 years ago

yep got it