Bug #9134 Any user can view any internal note
Submitted: 11 Mar 2005 22:44 Modified: 14 Mar 2005 15:56
Reporter: Paul Mach Email Updates:
Status: Closed Impact on me:
None 
Category:Eventum Severity:S3 (Non-critical)
Version:1.5 OS:
Assigned to: Bugs System CPU Architecture:Any

[11 Mar 2005 22:44] Paul Mach
Description:
Anyone with a viewer account can view any internal note. Only users with a Role greater then Customer are allowed to view notes.

How to repeat:
Login as a user with a Viewer role
Open http://path-to-eventum/view_note.php?id=NOTE_ID in the browser

Suggested fix:
I don't know if this is the optimal fix, but it works.

$ diff -Naur ../e/view_note.php ./view_note.php
--- ../e/view_note.php  Wed Mar  9 16:31:31 2005
+++ ./view_note.php     Fri Mar 11 14:20:06 2005
@@ -40,6 +40,13 @@

 Auth::checkAuthentication(APP_COOKIE, 'index.php?err=5', true);

+// check if user performing this chance has the proper role
+if (Auth::getCurrentRole() < User::getRoleID('Standard User')) {
+    $tpl->setTemplate("permission_denied.tpl.html");
+    $tpl->displayTemplate();
+    exit;
+}
+
 $note = Note::getDetails($HTTP_GET_VARS["id"]);
 $note["message"] = Misc::activateLinks(nl2br(htmlspecialchars($note["not_note"])));
[14 Mar 2005 15:56] Joao Prado Maia
Paul,

Thanks for the report! This problem has been fixed in the bitkeeper repository, and the bug fix will be available in the upcomming 1.5.2 release of Eventum.

--Joao