[CRITICAL] Any user can approve and reject events

Question

[CRITICAL] Any user can approve and reject events

Closed this issue 10 years ago · 8 comments

navigation link is hidden if "open requests" is forbidden for a user (nevertheless, in a wrong way, see #323 )
BUT: open the route /events_approval and you are allowed to view all requests, approve or reject them and see already approved events
Speechless...

Answer 1 · 2015-01-28T12:15:44.000Z

yes, but they have to address the related page manually in the browser.. however, an additional permissions check would be great

Answer 2 · 2015-01-29T11:22:26.000Z

I fixed that bug, you need to be member of a group to access that page.
But there is a new follow up bug I think... a user, who has the ability to approve events by beeing member of a group, can see any open requests and is able to approve/disapprove any of them.

Answer 3 · 2015-01-29T14:55:15.000Z

follow up bug should be fixed as well

Answer 4 · 2015-01-29T19:18:01.000Z

Does this fix #323 ?

Answer 5 · 2015-01-30T09:56:51.000Z

as I commented in #323, I can´t reproduce that bug. Everything seems to work fine.

Answer 6 · 2015-01-31T16:45:19.000Z

@leoselig please review on the dev branch if this bug and #323 is complely fixed
(at least I hope so)

Answer 7 · 2015-02-01T11:29:05.000Z

Not fixed
Reproduction:

User A creates simple event -> event shows up in the requested events page (as not approved)
User B logs in and performs a POST against User A's event route (/events/3/approve)
-> event is now approved

It seems that there are no security checks on the approve/reject actions
Since the POST cannot be performed via the UI as the page is not accessible to User B this is rather low prio at the moment

Answer 8 · 2015-02-01T11:39:17.000Z

lets break it up into a different user story as kind of security improvement. relates to #334
This bug deals with the frontend page ("Offene Anfragen") whereas #334 deals with the backend