Improper access control to privatemsgs

warmshowers / Warmshowers.org

The code for warmshowers.org. If you'd like to help develop code for Warmshowers.org or if you would like to handle some of the website configuration/sitebuilding tasks in the issue queue, please let me know.

http://www.warmshowers.org

60 stars 22 forks source link

Improper access control to privatemsgs #894

Open rfay opened 9 years ago

rfay commented 9 years ago

I note that rfay-testuser can hit

https://www.warmshowers.org/user/1/messages/view/988715

Which should be a message that rfay-testuser was no in the thread.

But a bunch of gibberish is loaded, not sure what it is. The real message thread is not loaded.

It turns out this is https://www.drupal.org/node/2033161 and there's a patch that just needs to be fixed up.

jeanfrancoisbeaulieu commented 9 years ago

Interestingly, visiting this link as westjef (my profile) displays all the messages I've ever written one after the other. Weird