From: Chuck Scott Date: Fri, 30 Dec 2016 20:53:01 +0000 (-0500) Subject: Found a way that contact users could access and update events that don't belong to... X-Git-Tag: v1.6.0^2~5 X-Git-Url: http://cvs2.gaslightmedia.com/gitweb/?a=commitdiff_plain;h=ba14bc9658d9ba0f6be29141cc1db10beebb9ec9;p=WP-Plugins%2Fglm-member-db-events.git Found a way that contact users could access and update events that don't belong to their member by tampering with the URL parameters. Added checks in list.php to determine if the current logged in member id matches the member of an event. If it doesn't, simply display an message that the event may not be accessed. --- diff --git a/models/admin/events/list.php b/models/admin/events/list.php index 049ca9e..95d03c8 100644 --- a/models/admin/events/list.php +++ b/models/admin/events/list.php @@ -367,12 +367,21 @@ class GlmMembersAdmin_events_list extends GlmDataEvents case 'edit': + + $event = $this->editEntry($this->eventID); + // If we have a good event if ($event['status']) { $haveEvent = true; } + // If we're locked to a member as a contact user and the event member doesn't equal the contact member + if ($lockedToMember && $event['fieldData']['ref_dest_id'] != $lockedToMember) { + $haveEvent = false; + $event = false; + } + $view = 'edit'; break; diff --git a/views/admin/events/edit.html b/views/admin/events/edit.html index c0a2477..d9d60c6 100644 --- a/views/admin/events/edit.html +++ b/views/admin/events/edit.html @@ -4,7 +4,7 @@ {include file='admin/events/header.html'} {/if} -{if apply_filters('glm_members_permit_admin_member_event', true)} +{if apply_filters('glm_members_permit_admin_member_event', true) && ($option == 'add' || $haveEvent)} {if $haveMember} Return to Events List @@ -97,9 +97,7 @@ {else} - - -
Name:{$event.fieldData.name}
+

Sorry, no event found or permission not granted.

{/if}