Users able to post to all blogs - confirming and extending previously reported bug by others
- Status
- Closed
- Subject
- Users able to post to all blogs - confirming and extending previously reported bug by others
- Version
- 1.9.x
2.x - Category
- Usability
- Feature
- Blog
Permission - Submitted by
- zorp
- Volunteered to solve
- zorp
- Rating
- Description
On clean installs (empty databases) of TW 1.10 and 1.9.11 (also tested and confirmed on the clean 1.9.11 install on opensourcecms.com).
After users (perms tiki_p_create_blogs and tiki_p_blog_post enabled)create a blog they can proceed to post to any other user's blog. More precisely, on the post blog page, a user can select all blogs from the "Blog" field- Solution
it seems that the function user_has_perm_on_object in tikilib.php (called by the list_blogs_user_can_post function) returns true for all blogs. It seems to me that user_has_perm_on_object either confuses the permission levels of tiki_p_blog_post or it simply doesn't check whether the blog has been marked as private or not.
A quick work around (which completely bypasses user_has_perm_on_object so is probably poses a bunch of security risk):
in the file tikilib.php
in the function function list_blogs_user_can_post
Replace
if( $this->user_has_perm_on_object($user, $res'blogId', 'blog', 'tiki_p_blog_post',0)){with
if( $user $res'user' || $res'public' 'y'){////////////////////////////////
fixed in tikitrunk(3.0)
commit 13737 + 13736- Importance
- 5
- Priority
- 25
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Ticket ID
- 1782
- Created
- Monday 26 May, 2008 10:26:08 GMT-0000
by Unknown - LastModif
- Tuesday 22 July, 2008 10:57:40 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Needed for Tiki 26: Color mode switch module
- Feature request: Be able to exclude (by category) the pages listed in Latest Changes module
- Add a command to console.php to invalidate certain objects in the search index
- Counting items in Items List Doesn't Work due to lack of , between items
- Modals in Quartz theme are too narrow
;){kind=link}
;){kind=link}