Home :: Forums :: Support :: Technical problems

Security Problem

By poldi12 - Posted on June 4th, 2008
Tagged:  

Hi there,

I am using PP for several projects and I just noticed, that by just changing the link from

http://www.website.com/index.php?c=project&a=overview&active_project=1

to

http://www.website.com/index.php?c=project&a=overview&active_project=2

users can easily see, whats going on in other projects. They cant add any comments or load up any files but they can see everything.

Is there any way to prevent them from doing so.

I really need help here, otherwise peaople will not be interested in using PP.

Thanks a lot,

poldi

‹ Username / email address is already taken Database error post installation ›
Hey poldi12, Is the user in
Submitted by Alex. on Wed, 06/04/2008 - 18:03.

Hey poldi12,
Is the user in question in the owner company & set to be automatically assigned to projects?

Hey, no he is not. He is
Submitted by poldi12 on Fri, 06/06/2008 - 07:39.

Hey,

no he is not. He is just involved in two projects, so the link ends with ...project=1 or ...project=2. And by simply changing the number, one can easily get into other projects.

PP knows that the user is not allowed to have a look at this project because in a red box is written that he is not allowed to be there. But it does not prevent the user from reading the content.

poldi, Looking at
Submitted by jamesu on Fri, 06/06/2008 - 09:13.

poldi,

Looking at ProjectController, this checks the permissions:

   39       if (!logged_user()->isProjectUser(active_project())) {
   40         flash_error(lang('no access permissions'));
   41         $this->redirectTo('dashboard');
   42       } // if

Which checks the project_users table for an occurrence of "project_id == active_project().id AND user_id = logged_user().id".

What i would check is Are these users actually members of the project? If not in the interface, in the database?

Apart from that, i can't think of anything else that would be at fault here. Unless your PHP isn't really die()'ing with the redirect.

Hi there, the permissions
Submitted by poldi12 on Fri, 06/06/2008 - 09:46.

Hi there,

the permissions seem to be fine.

It looks like the redirect doesnt work properly. Can that have to do with the german translation I am using, because I get a red box saying that I am not allowed to be in this project but like I said, it does not prohibit access. Access means I can see any information but I cant comment and so on. And always there ist this red box ...

redirecting with PHP
Submitted by poldi12 on Tue, 06/10/2008 - 09:08.

what could be the problem with, php and redirect?

I've found the main cause of
Submitted by Alex. on Tue, 06/17/2008 - 21:29.

I've found the main cause of the problem and I intend to create a patch for this over the next few days.

problem!?
Submitted by andypost on Wed, 06/18/2008 - 12:26.

Suppose it's not serious except tasks & files section.
Please post a link to issue...

Patch is in the issue
Submitted by Alex. on Wed, 06/18/2008 - 15:58.

Patch is in the issue queue
http://projectpier.org/node/1044