[CRITICAL] Any user can approve and reject events
Closed this issue · 8 comments
navigation link is hidden if "open requests" is forbidden for a user (nevertheless, in a wrong way, see #323 )
BUT: open the route /events_approval and you are allowed to view all requests, approve or reject them and see already approved events
Speechless...
yes, but they have to address the related page manually in the browser.. however, an additional permissions check would be great
I fixed that bug, you need to be member of a group to access that page.
But there is a new follow up bug I think... a user, who has the ability to approve events by beeing member of a group, can see any open requests and is able to approve/disapprove any of them.
follow up bug should be fixed as well
as I commented in #323, I can´t reproduce that bug. Everything seems to work fine.
Not fixed
Reproduction:
- User A creates simple event -> event shows up in the requested events page (as not approved)
- User B logs in and performs a POST against User A's event route (/events/3/approve)
-> event is now approved
It seems that there are no security checks on the approve/reject actions
Since the POST cannot be performed via the UI as the page is not accessible to User B this is rather low prio at the moment