mugle-dev team mailing list archive
-
mugle-dev team
-
Mailing list archive
-
Message #00325
[Bug 786685] [NEW] Views aren't restricted by permission
*** This bug is a security vulnerability ***
Private security bug reported:
The permissions system stops you from writing anywhere you shouldn't,
but there don't appear to be any restrictions on what you can view. Any
user can go around to #!/devteam/game/+edit and see everything there,
including all the badges, and the game token.
Users need to be restricted from accessing certain kinds of data. Note
that this can't be done on the client side. The server needs to refuse
to give you certain objects (or refuse to fill in certain fields) if you
ask for them.
** Affects: mugle
Importance: Critical
Status: Triaged
** Tags: security
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title:
Views aren't restricted by permission
Status in Melbourne University Game-based Learning Environment:
Triaged
Bug description:
The permissions system stops you from writing anywhere you shouldn't,
but there don't appear to be any restrictions on what you can view.
Any user can go around to #!/devteam/game/+edit and see everything
there, including all the badges, and the game token.
Users need to be restricted from accessing certain kinds of data. Note
that this can't be done on the client side. The server needs to refuse
to give you certain objects (or refuse to fill in certain fields) if
you ask for them.
Follow ups
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-26
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Launchpad Bug Tracker, 2011-05-23
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: GameToken is visible to users who don't own the game
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: Views aren't restricted by permission
From: Prageeth Silva, 2011-05-23
-
[Bug 786685] Re: Views aren't restricted by permission
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: Views aren't restricted by permission
From: Matt Giuca, 2011-05-23
-
[Bug 786685] Re: Views aren't restricted by permission
From: Matt Giuca, 2011-05-23
-
Re: [Bug 786685] [NEW] Views aren't restricted by permission
From: Scott Ritchie, 2011-05-22
-
[Bug 786685] [NEW] Views aren't restricted by permission
From: Matt Giuca, 2011-05-22
References