Bug #9134 Any user can view any internal note
Submitted: 11 Mar 2005 22:44 Modified: 14 Mar 2005 15:56
Reporter: Paul Mach Email Updates:
Status: Closed Impact on me:
Category:Eventum Severity:S3 (Non-critical)
Version:1.5 OS:
Assigned to: Bugs System CPU Architecture:Any

[11 Mar 2005 22:44] Paul Mach
Anyone with a viewer account can view any internal note. Only users with a Role greater then Customer are allowed to view notes.

How to repeat:
Login as a user with a Viewer role
Open http://path-to-eventum/view_note.php?id=NOTE_ID in the browser

Suggested fix:
I don't know if this is the optimal fix, but it works.

$ diff -Naur ../e/view_note.php ./view_note.php
--- ../e/view_note.php  Wed Mar  9 16:31:31 2005
+++ ./view_note.php     Fri Mar 11 14:20:06 2005
@@ -40,6 +40,13 @@

 Auth::checkAuthentication(APP_COOKIE, 'index.php?err=5', true);

+// check if user performing this chance has the proper role
+if (Auth::getCurrentRole() < User::getRoleID('Standard User')) {
+    $tpl->setTemplate("permission_denied.tpl.html");
+    $tpl->displayTemplate();
+    exit;
 $note = Note::getDetails($HTTP_GET_VARS["id"]);
 $note["message"] = Misc::activateLinks(nl2br(htmlspecialchars($note["not_note"])));
[14 Mar 2005 15:56] Joao Prado Maia

Thanks for the report! This problem has been fixed in the bitkeeper repository, and the bug fix will be available in the upcomming 1.5.2 release of Eventum.