Menu
▾
▴
#23 Mailto.php config error causes "access denied"
The default MailTo class file "Mailto.php" has a
configuration error as shown in the "diff" trace below
(need to add "_mailtos" suffix):
$ diff Mailto.php.orig Mailto.php
49c49
< if($_SESSION['OBJ_user']->allow_access("mailto",
"view")) {
---
> if($_SESSION['OBJ_user']->allow_access("mailto",
"view_mailtos")) {
95c95
< if($_SESSION['OBJ_user']->allow_access("mailto",
"edit")) {
---
> if($_SESSION['OBJ_user']->allow_access("mailto",
"edit_mailtos")) {
329c329
< if($_SESSION['OBJ_user']->allow_access("mailto",
"delete")) {
---
> if($_SESSION['OBJ_user']->allow_access("mailto",
"delete_mailtos")) {
$ pwd
././phpwebsite/mod/mailto/class
$
As a consequence of this mis-configuration, the only
user who can configure mail lists is the Admin deity.
If the changes above are made in "Mailto.php", the
admin user can assign MailTo list management to any
registered user. Otherwise, whenever a non-admin user
attempts to edit and/or create a mail list entry, that
user will receive a red warning message: "Access
Denied", even if that user has MailTo module permissions.
