I can delete Root folder even if I don't have permissions.
nykroy opened this issue · 2 comments
nykroy commented
Steps to reproduce
- Select folder
- Delete folder
- I click on the message that indicates if I want to confirm the deletion.
4.While it is loading, I click again on the message that indicates if I want to confirm the deletion.
It seems that the second time I confirm the message, it sends the deletion data, losing the folder ID, so it interprets it as 0 (which is the root folder)
Server configuration
Operating system: Debian
Web server:
Database:
PHP version:
Teampass version: 3.1.2
Teampass configuration file:
Updated from an older Teampass or fresh install: yes
Client configuration
Browser: Edge
Operating system: Windows
corentin-soriano commented
corentin-soriano commented
NestedTree->getDescendants() documentation:
* @param int $folder_id The ID of the node to fetch descendant data for.
* Specify an invalid ID (e.g. 0) to retrieve all data.
There are two problems:
- We should not be able to delete the root folder.
- Permissions must be checked for each deleted folder or item.