#71 ✓resolved
Walter McGinnis

Able to the history and preview of an item that is in another basket

Reported by Walter McGinnis | September 29th, 2008 @ 03:26 PM | in 1.1

With a bit of URL surgery, you can see an item that resides in another basket's history or preview.

Fix by restraining find call to only item's within a basket in the item_from_controller_and_id method definition.

Note that other actions, such as edit, etc. are covered by a permit before filter in our controllers, so they don't need this fix.

Comments and changes to this ticket

  • Kete

    Kete September 29th, 2008 @ 03:52 PM

    • State changed from “new” to “resolved”

    (from [f934057f8d390129348a4b5844ef91d4972060e5]) security fix: #71

    using modified URLs, one could access history of item in another basket... this was more of an inconsistency, since other checks would prevent sensitive data from being shown, except for title

    [#71 state:resolved responsible:walter] http://github.com/kete/kete/comm...

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Kete was developed by Horowhenua Library Trust and Katipo Communications Ltd. to build a digital library of Horowhenua material.

People watching this ticket

Tags

Referenced by

Pages