account names can clobber
Status: Beta
Brought to you by:
idistrust
Menu
▾
▴
#28 account names can clobber
open
nobody
None
5
2004-09-10
2004-09-10
Anonymous
No
When adding a new account, the name is not checked.
This can allow a user to create an account with an
existing account's name and see the details of that
account.
It also messes up the tables; now each user with that
account name sees two copies.
bug found in 0.4.0
To duplicate bug:
1.as admin create two users: user1 and user2, give each
of them rights to add/edit/remove accounts and
transactions.
2.login as user1.
3.create a new account "test account", set it's opening
balance to $100.
4.add a transaction "secret transaction", with a $10 debit.
5.logout and login as user2.
3.create a new account "test account", set it's opening
balance to $250.
4.view the account. You will see it has $340 in it; an
opening balance, the secret transaction, and another
opening balance.