cvs2.gaslightmedia.com Git - WP-Plugins/glm-member-db-events.git/commit

projects / WP-Plugins / glm-member-db-events.git / commit

author	Chuck Scott <cscott@gaslightmedia.com>
	Fri, 30 Dec 2016 20:53:01 +0000 (15:53 -0500)
committer	Chuck Scott <cscott@gaslightmedia.com>
	Fri, 30 Dec 2016 20:53:01 +0000 (15:53 -0500)
commit	ba14bc9658d9ba0f6be29141cc1db10beebb9ec9
tree	58f5ee2f2ef4f8a23609b1c1853a06a78875b502	tree \| snapshot
parent	1308bb3727c815ef1d7ef4156ac9bc15ca5eacd4	commit \| diff

Found a way that contact users could access and update events that don't belong to their member by tampering with the URL parameters.
Added checks in list.php to determine if the current logged in member id matches the member of an event.
If it doesn't, simply display an message that the event may not be accessed.

models/admin/events/list.php		diff \| blob \| history
views/admin/events/edit.html		diff \| blob \| history

RSS Atom