[Fixed] Security problem: view projects without having rights to see them

1, 2
This topic is locked, no new messages can be posted
avatar SimonK Jul 14. 2006. 1:00 pm #1
There appears to be a problem concerning rights. I created a client and two projects and granted the client rights to one project. When I log in as this client, his project is listed on the right. So far, so good. However, when I click this link and change the ID in the URL, whoops, there's project number 2. Hehe. I was only testing now and I'm pretty impressed, so I'm probably going to use this for my freelance jobs, though I don't think it's such a good idea when one client can view all other projects of other clients. ;)

I was actually surprised that this wasn't brought up yet, am I the only one playing with URL's all the time? :P It's probably something you overlooked. Other than this I think it's pretty stable, though I hope you're planning to make upgrading a bit easier. :) Great job, this tool wil make communicating a lot more easier.

Oh, by the way, the only thing your great app lacks is AJAX. It would make the use even easier than it already is, especially since I find my self clicking a lot of links (and thus refreshing quite often). But don't rush it, take your time to develop a good and stable app.
avatar ashusta Jul 14. 2006. 5:45 pm #2
Did you clear your cookie and reset your session or was it just a URL change that induced the behavior?
avatar leeopold Jul 15. 2006. 4:15 pm #3
I toyed with it and found the same issue. As a client, I changed the last part of the URL from

active_project=2
to
active_project=1

and had access to a project 1, where I was not a member. I could not download a PDF file or read messages from the link in the overview log, but I could view messages using the tab links.
avatar Ilija Studen Staff Jul 16. 2006. 10:53 am #4
SimonK:
I was actually surprised that this wasn't brought up yet, am I the only one playing with URL's all the time? :P It's probably something you overlooked. Other than this I think it's pretty stable, though I hope you're planning to make upgrading a bit easier. :) Great job, this tool wil make communicating a lot more easier.

I overlooked it :( Permissions are really important in this kind of system so this will be fixed ASAP.

SimonK:
Oh, by the way, the only thing your great app lacks is AJAX. It would make the use even easier than it already is, especially since I find my self clicking a lot of links (and thus refreshing quite often). But don't rush it, take your time to develop a good and stable app.

XHR will use aC API to send async requests. So, API first, then AJAX.
avatar SimonK Jul 16. 2006. 3:41 pm #5
Nice, thanks. I wasn't able to test it with cookies/sessions cleared (see first reply) since my servers have been down since yesterday morning (yeah, the DreamHost fileserver thingie).

Quite funny by the way, I noticed my (test) client could not post new messages or anything: those links were hidden. So you did not overlook it completely... ;)
avatar Ilija Studen Staff Jul 16. 2006. 3:45 pm #6
Yes, aC have pretty strong permissions system but I missed to add checks on some pages. I think I'll create more flexible permissions system for 1.0, just to make a good foundation for future versions where will have extensible permissions for plugins and all the stuff we put in.
avatar Ilija Studen Staff Aug 20. 2006. 3:22 am #7
Fixed in SVN R32...
avatar nolroos Aug 28. 2006. 4:34 pm #8
Can this problem be solved with updating some files or do we have to wait until a next version? Thanks!
avatar Ilija Studen Staff Aug 29. 2006. 12:41 am #9
I'm afraid that things are a bit more complex than that - there are several changes in ProjectController plus some in other files and because this one was commited as part of a set of changes I can' isolate them.
avatar Ilija Studen Staff Jan 19. 2007. 7:43 am #10
If you are wondering if this problem is fixed than just to point out: it has been fixed long time ago.

Topic is locked

If you have something important to say about the issues discussed in this post please write at hi@a51dev.com.

or Go To Next Page