Able to the history and preview of an item that is in another basket
Reported by Walter McGinnis | September 29th, 2008 @ 03:26 PM | in 1.1
With a bit of URL surgery, you can see an item that resides in another basket's history or preview.
Fix by restraining find call to only item's within a basket in the item_from_controller_and_id method definition.
Note that other actions, such as edit, etc. are covered by a permit before filter in our controllers, so they don't need this fix.
Comments and changes to this ticket
-
Kete September 29th, 2008 @ 03:52 PM
- State changed from “new” to “resolved”
(from [f934057f8d390129348a4b5844ef91d4972060e5]) security fix: #71
using modified URLs, one could access history of item in another basket... this was more of an inconsistency, since other checks would prevent sensitive data from being shown, except for title
[#71 state:resolved responsible:walter] http://github.com/kete/kete/comm...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Kete was developed by Horowhenua Library Trust and Katipo Communications Ltd. to build a digital library of Horowhenua material.
People watching this ticket
Kete
Walter McGinnis
Tags
Referenced by
-
71
Able to the history and preview of an item that is in another basket
(from [f934057f8d390129348a4b5844ef91d4972060e5]) securit...
-
71
Able to the history and preview of an item that is in another basket
[#71
state:resolved responsible:walter]
http://github.co...