Bug #9134 Any user can view any internal note
Submitted: 11 Mar 2005 23:44 Modified: 14 Mar 2005 16:56
Reporter: Paul Mach
Status: Closed
Category:Eventum Severity:S3 (Non-critical)
Version:1.5 OS:
Assigned to: Bugs System Target Version:

[11 Mar 2005 23:44] Paul Mach 
Description:
Anyone with a viewer account can view any internal note. Only users with a Role greater
then Customer are allowed to view notes.

How to repeat:
Login as a user with a Viewer role
Open http://path-to-eventum/view_note.php?id=NOTE_ID in the browser

Suggested fix:
I don't know if this is the optimal fix, but it works.

$ diff -Naur ../e/view_note.php ./view_note.php
--- ../e/view_note.php  Wed Mar  9 16:31:31 2005
+++ ./view_note.php     Fri Mar 11 14:20:06 2005
@@ -40,6 +40,13 @@

 Auth::checkAuthentication(APP_COOKIE, 'index.php?err=5', true);

+// check if user performing this chance has the proper role
+if (Auth::getCurrentRole() < User::getRoleID('Standard User')) {
+    $tpl->setTemplate("permission_denied.tpl.html");
+    $tpl->displayTemplate();
+    exit;
+}
+
 $note = Note::getDetails($HTTP_GET_VARS["id"]);
 $note["message"] = Misc::activateLinks(nl2br(htmlspecialchars($note["not_note"])));
[14 Mar 2005 16:56] Joao Prado Maia 
Paul,

Thanks for the report! This problem has been fixed in the bitkeeper repository, and the
bug fix will be available in the upcomming 1.5.2 release of Eventum.

--Joao