aC forum: [Fixed] Security problem: view projects without having rights to see them

Post #11 by [user deleted]

[user deleted] — Wed, 30 May 2007 20:46:28 CDT

Sorry if I'm reviving a dead horse here, but I did test the active_project=xxx issue with 0.7.1 recently, and I can view other projects though not assigned to the user.

Wondering if I'm doing something wrong?

Post #10 by Ilija Studen

Ilija Studen — Fri, 19 Jan 2007 07:43:20 CST

If you are wondering if this problem is fixed than just to point out: it has been fixed long time ago.

Post #9 by Ilija Studen

Ilija Studen — Tue, 29 Aug 2006 00:41:20 CDT

I'm afraid that things are a bit more complex than that - there are several changes in ProjectController plus some in other files and because this one was commited as part of a set of changes I can' isolate them.

Post #8 by [user deleted]

[user deleted] — Mon, 28 Aug 2006 16:34:06 CDT

Can this problem be solved with updating some files or do we have to wait until a next version? Thanks!

Post #7 by Ilija Studen

Ilija Studen — Sun, 20 Aug 2006 03:22:10 CDT

Fixed in SVN R32...

Post #6 by Ilija Studen

Ilija Studen — Sun, 16 Jul 2006 15:45:02 CDT

Yes, aC have pretty strong permissions system but I missed to add checks on some pages. I think I'll create more flexible permissions system for 1.0, just to make a good foundation for future versions where will have extensible permissions for plugins and all the stuff we put in.

Post #5 by SimonK

SimonK — Sun, 16 Jul 2006 15:41:39 CDT

Nice, thanks. I wasn't able to test it with cookies/sessions cleared (see first reply) since my servers have been down since yesterday morning (yeah, the DreamHost fileserver thingie).

Quite funny by the way, I noticed my (test) client could not post new messages or anything: those links were hidden. So you did not overlook it completely... ;)

Post #4 by Ilija Studen

Ilija Studen — Sun, 16 Jul 2006 10:53:22 CDT

SimonK:
I was actually surprised that this wasn't brought up yet, am I the only one playing with URL's all the time? :P It's probably something you overlooked. Other than this I think it's pretty stable, though I hope you're planning to make upgrading a bit easier. :) Great job, this tool wil make communicating a lot more easier.

I overlooked it :( Permissions are really important in this kind of system so this will be fixed ASAP.

SimonK:
Oh, by the way, the only thing your great app lacks is AJAX. It would make the use even easier than it already is, especially since I find my self clicking a lot of links (and thus refreshing quite often). But don't rush it, take your time to develop a good and stable app.

XHR will use aC API to send async requests. So, API first, then AJAX.

Post #3 by [user deleted]

[user deleted] — Sat, 15 Jul 2006 16:15:25 CDT

I toyed with it and found the same issue. As a client, I changed the last part of the URL from

active_project=2
to
active_project=1

and had access to a project 1, where I was not a member. I could not download a PDF file or read messages from the link in the overview log, but I could view messages using the tab links.

Post #2 by [user deleted]

[user deleted] — Fri, 14 Jul 2006 17:45:47 CDT

Did you clear your cookie and reset your session or was it just a URL change that induced the behavior?