Menu
▾
▴
[Treebase-guts] [ treebase-Bugs-2970482 ] unauthorized user can edit trees using phylowidget
|
From: SourceForge.net <no...@so...> - 2010-03-15 04:24:03
|
Bugs item #2970482, was opened at 2010-03-15 00:24 Message generated for change (Tracker Item Submitted) made by sfrgpiel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1126676&aid=2970482&group_id=248804 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: ui Group: None Status: Open Priority: 9 Private: No Submitted By: William Piel (sfrgpiel) Assigned to: Nobody/Anonymous (nobody) Summary: unauthorized user can edit trees using phylowidget Initial Comment: This is a significant security hole: an unauthorized user (e.g. an anonymous user or a non-admin person) can view a tree using phylowidget (i.e. through the search interface), reroot the tree, and then click the "save back to the database" menu item -- and, unfortunately, the save does work and the data are permanently changed! We need to block this hole. Only if the user is the owner of the tree -- and where the tree belongs to a "in progress" study -- should the user be allowed to modify the tree and save it back to the database. Frankly, to avoid confusion it would be better to have a duplicate set of phylowidget pages: one available through the submission system (and this one contains the "save back to database" menu item) and one available through the search interface (and this one would not have the "save back to database" menu item). Also, note that the "Quick Links" box makes no sense for the phylowidget page deployed in the submission system, as following those links exits the submission pages. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1126676&aid=2970482&group_id=248804 |
