Opened 6 years ago

Closed 5 years ago

#1933 closed bug (fixed)

Related groups can be linked by non-members

Reported by: planetcruiser Owned by: Tsjoek
Priority: major Milestone: 2.1
Component: BW Group Keywords:
Cc: shevek

Description

Issue:

  • When using URLs like /groups/xx/addrelatedgroup/yy group relation links can be created without group membership
  • This bypasses the restriction of mutual group membership set when using the HTML interface and is therefore a security loophole, or at least an inconsistency

Suggested fix:

  1. Disallow creating of group links for non members via URL (recommended)
  2. Allow group link creation without group membership via web interface for everyone

Related:

Change History (9)

comment:1 Changed 6 years ago by mahouni

I agree that it is a bug and have the fix ready (not submitted to develop for now):
https://gitorious.org/~mahouni/bewelcome/mahouni-rox/commit/28c81564841a689b877a4db558851b04b2d92cdf[[BR]]

That would be suggestion A.

comment:2 Changed 5 years ago by sitatara

  • Component changed from unknown to BW Group

comment:3 Changed 5 years ago by Tsjoek

  • Cc shevek added
  • Owner set to Tsjoek
  • Status changed from new to assigned

comment:4 Changed 5 years ago by shevek

I think we never had a complaint by a group administrator that some wild assignment were made. Rather than fixing this I'd just close.

comment:5 Changed 5 years ago by Tsjoek

  • Milestone changed from unassigned to 2.1
  • Status changed from assigned to local_testing

But with most of the code already provided it was so easy to solve, that I couldn't resist.

https://gitorious.org/bewelcome/rox/commit/d294cdf009d8247a5e49636285ea097ca29ca9b7

is suggestion A, only you need to be a member of the main group in stead of owner, as was already the current state for all us mortals adding/deleting group relations through the webinterface.

comment:6 Changed 5 years ago by shevek

  • Status changed from local_testing to to_alpha

Deployed to alpha.

comment:7 Changed 5 years ago by shevek

  • Status changed from to_alpha to testing

comment:8 Changed 5 years ago by shevek

Tried to skirt around the constraint that only members can relate groups. Failed.

A minor problem I found is that the same error message is shown also if no one is logged in. I think this should be the case but a redirect should happen instead (to the first group in the URL I'd say).

comment:9 Changed 5 years ago by shevek

  • Resolution set to fixed
  • Status changed from testing to closed

Spin off the minor problem as new ticket. Closed as fixed.

Note: See TracTickets for help on using tickets.