Ticket #1759 (closed defect: fixed)

Opened 13 months ago

Last modified 10 months ago

db/doBuild not secured

Reported by: aoneil Owned by: aoneil
Priority: medium Milestone: 2.2.2 feature-lock*
Component: Sapphire Framework Version:
Severity: medium effort / impact Keywords: notformerge
Cc: Hours:

Description

db/build requires an admin login on a live site, but db/doBuild doesn't.

Attachments

DatabaseAdmin.php.diff (0.8 kB) - added by simon_w 10 months ago.

Change History

Changed 13 months ago by sminnee

This will be fixed in 2.1.1 by the allowedActions() system.

Changed 13 months ago by aoneil

  • milestone changed from 2.2.0 to 2.2.1

Changed 10 months ago by simon_w

As I couldn't find any mention of allowedActions in sapphire/, this simply patch checks for admin rights in doBuild() if the first argument is an array, which would suggest that URLParams were passed to it.

Changed 10 months ago by simon_w

Changed 10 months ago by sminnee

  • keywords notformerge added

I'm in the middle of implementing allowedActions ;-)

It will render this patch unnecessary.

Changed 10 months ago by sminnee

  • status changed from new to closed
  • resolution set to fixed

The $allowed_actions variable is now active, this issue has been fixed.

Note: See TracTickets for help on using tickets.