From ba14bc9658d9ba0f6be29141cc1db10beebb9ec9 Mon Sep 17 00:00:00 2001 From: Chuck Scott Date: Fri, 30 Dec 2016 15:53:01 -0500 Subject: [PATCH] Found a way that contact users could access and update events that don't belong to their member by tampering with the URL parameters. Added checks in list.php to determine if the current logged in member id matches the member of an event. If it doesn't, simply display an message that the event may not be accessed. --- models/admin/events/list.php | 9 +++++++++ views/admin/events/edit.html | 6 ++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/models/admin/events/list.php b/models/admin/events/list.php index 049ca9e..95d03c8 100644 --- a/models/admin/events/list.php +++ b/models/admin/events/list.php @@ -367,12 +367,21 @@ class GlmMembersAdmin_events_list extends GlmDataEvents case 'edit': + + $event = $this->editEntry($this->eventID); + // If we have a good event if ($event['status']) { $haveEvent = true; } + // If we're locked to a member as a contact user and the event member doesn't equal the contact member + if ($lockedToMember && $event['fieldData']['ref_dest_id'] != $lockedToMember) { + $haveEvent = false; + $event = false; + } + $view = 'edit'; break; diff --git a/views/admin/events/edit.html b/views/admin/events/edit.html index c0a2477..d9d60c6 100644 --- a/views/admin/events/edit.html +++ b/views/admin/events/edit.html @@ -4,7 +4,7 @@ {include file='admin/events/header.html'} {/if} -{if apply_filters('glm_members_permit_admin_member_event', true)} +{if apply_filters('glm_members_permit_admin_member_event', true) && ($option == 'add' || $haveEvent)} {if $haveMember} Return to Events List @@ -97,9 +97,7 @@ {else} - - -
Name:{$event.fieldData.name}
+

Sorry, no event found or permission not granted.

{/if} -- 2.17.1