BUGGER
Project Home
Bug Status:
Closed - Resolved
Bug ID138
Date Logged9/8/2011
Logged ByBen Tasker
DetailsIf a users session expires whilst viewing a subsite, when they log back in they are on the default subsite but the folder is still displayed
DeveloperBTasker
Developer NotesSubsite checking hardened

Bug Comments:

Can replicate;

1. Access a subsite and view the contents of a folder. Make a note of the folder id (in the URL - viewdir.php?Dir=XX)
2. Return to the default subsite (or any other)
3. Alter the URL to read viewdir.php?Dir= followed by the Dir ID
4. Contents of directory are displayed despite being from another subsite

Suspect relevant report generation has not been updated to specify subsite in query
Ben Tasker09-08-2011 11:57
Could pose a security issue when subsite permissions are implemented (i.e. if a user is denied access to a subsite but knows (or guesses) the folder ID).
Ben Tasker09-08-2011 11:58
Directories and subdirs were not being displayed (as expected).

However, file query had not been updated to prevent cross subsite access.

Have also updated File Download queries so that if a user cannot authenticate against a subsite, they are unable to attempt to guess Document ID's
Ben Tasker09-08-2011 12:07
Sent for testing
Ben Tasker09-08-2011 12:07
Directory contents are no longer displayed.

However, the breadcrumb still displays the correct path to the directory.

Although not a major concern, it is something that should be fixed
Ben Tasker09-08-2011 12:09
Issue resolved. Function calculate_parent_dir updated to examine whether current subsite and directory subsite are the same.

Bug tested and resolved
Ben Tasker09-08-2011 12:16
At the time of it's abandonment, BUGGERs template was still under development. Apologies for any feelings of nausea! Copyright Ben Tasker 2009 Released under the GNU GPL V3
No permission given for Interception of communications by any third party.
"Broken? Have you BUGGERed it?"