Thread: Add-On Releases - PS - HelpCenter
View Single Post
  #753  
Old 01-29-2009, 11:04 PM
inciarco's Avatar
inciarco inciarco is offline
 
Join Date: Mar 2007
Posts: 758
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Markus2 View Post
I can't reproduce this. For example my registered test-user can not see the tickets from administrator.
Can't See Them LISTED, but try by Browsing the URL of the Ticket of other User (Private or Public), (very easy because the last Number in the Address is Secuencial), and You'll see that ANY User can Access ANY Other User's Tickets, and also if Options for Edit, Open, Close, Delete, Tickets are Enabled then ANY User can do that to ANY Other User's Tickets; the Options for Usergroups of Edit Tickets and Edit ANY Tickets, are the Same because in the Code there isn't any Usage of the Edit/Open/Close/Delete ANY Ticket but the Code is Currently Designed to use the Edit/Open/Close/Delete Tickets as Edit/Open/Close/Delete ANY Ticket.

If Users are not that Smart they won't be Curious to try and access any other User Ticket, but if they are Malicious (or Smart Enough) they'll Start Seeing Other Users Tickets, simply by Changing the Last Number on the Browser's Address to 1 (ticket 1), 2 (ticket 2), ... x (ticket x), so there is Corrently Not Privacy on the Tickets because the Code is Incomplete.

Review the Code of the File "helpcenter.php" and You'll see that I'm Right.

I Hope PaulSonny would Share with Us a Fixed and Complete Version of that php File that separates those Permissions.

My Best Regards.

Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01121 seconds
  • Memory Usage 1,766KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete