View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 5703 | Composr | syndication | public | 2024-04-16 13:42 | 2024-04-30 15:20 |
| Reporter | Adam Edington | Assigned To | PDStig | ||
| Priority | normal | Severity | trivial | ||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.47 | ||||
| Fixed in Version | 10.0.48.beta | ||||
| Summary | 5703: backend.php showing all available feeds to Guests | ||||
| Description | Including admin actions. Pretty sure this isn't intended. | ||||
| Tags | Roadmap: v11 | ||||
| Attach Tags | |||||
| Attached Files | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Whoopsie that does sound like an issue. |
|
|
@Adam I need more information. It looks like RSS hooks have proper privilege checking in place. What specific backend.php URL calls are causing a leak of info? And where are these calls located? |
|
|
Ignore; I found the issue. I'm assuming it's opml because I saw some feeds listed that guests normally would not have access. I added a clause to hide those for guests. |
|
|
Automated response: backend.php showing all available feeds to Guests backend.php opml mode was publicising all available feeds, even ones guests would not be able to access. This patch hot-fudges a list of feeds we don't want to promote to guests; they will no longer display in the opml feed. However in v11, we should add a new method in the RSS hooks for privilege checking (based on current member) and use that instead. |
|
|
Fixed in git commit 3bfd9724cf (https://gitlab.com/composr-foundation/composr/commit/3bfd9724cf - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
|
|
Fixed in v11 with a better approach using a new method on RSS hook calls https://gitlab.com/composr-foundation/composr/-/commit/e25cffa0ff26d49d1b48b2a62694a57855563972 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-04-16 13:42 | Adam Edington | New Issue | |
| 2024-04-16 13:51 | PDStig | Note Added: 0008622 | |
| 2024-04-16 13:51 | PDStig | Assigned To | => user4172 |
| 2024-04-16 13:51 | PDStig | Status | Not Assigned => Assigned |
| 2024-04-18 02:49 | PDStig | Note Added: 0008635 | |
| 2024-04-18 02:59 | PDStig | Note Added: 0008636 | |
| 2024-04-18 03:03 | PDStig | Tag Attached: Roadmap: v11 | |
| 2024-04-28 23:10 | PDStig | Status | Assigned => Resolved |
| 2024-04-28 23:10 | PDStig | Resolution | open => fixed |
| 2024-04-28 23:10 | PDStig | Note Added: 0008712 |
