Opened 3 years ago
Closed 3 years ago
#2037 closed Defect (fixed)
group owner can force any user to join group
| Reported by: | cash | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Elgg 1.7.2 |
| Component: | Core | Version: | 1.7 |
| Severity: | minor | Keywords: | |
| Cc: | brettp | Difficulty: |
Description
The group edit action has some odd code. It's purpose is to make sure that the creator of a group joins the group. It can be exploited by the group owner to add any user to the group. The primary problem is that the group edit form embeds the user guid in the form as a hidden value which is never a good idea. Better to use the session information.
Change History (1)
comment:1 Changed 3 years ago by cash
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
(In [svn:6227]) Fixes #2037 #2089 - fixing issues with joining group when saving group