Closed sturnbull closed 11 years ago
Closed with commit #9b6c8f6995d3772d9d78570ea98c137ebf8a0371
When passing the album id via the url we're not adequately checking permissions. For instance:
https://piktur.poly.edu/imageview.php?album=22&offset=0
album 22 is one that jason uploaded containing one image that is not marked public. Yet anyone can access it.
if w're going to allow users to input which album to view we need to add a check to ensure that the user has access to that album id or error out and not process the request.
Good catch.
On Thu, Nov 15, 2012 at 3:39 PM, enasni notifications@github.com wrote:
When passing the album id via the url we're not adequately checking permissions. For instance:
https://piktur.poly.edu/imageview.php?album=22&offset=0
album 22 is one that jason uploaded containing one image that is not marked public. Yet anyone can access it.
if w're going to allow users to input which album to view we need to add a check to ensure that the user has access to that album id or error out and not process the request.
— Reply to this email directly or view it on GitHubhttps://github.com/sturnbull/piktur/issues/37#issuecomment-10424473.
imageview.php modified to ensure the album id that is passed to the page exists in the list of album ids that the user has access to. If they don't, as suggested I'm bouncing them back to albumview.
If a user chooses an album, hits the back button, and selects a new album the album id is not updated. Looks like if it is already set, the value isn't reset.