Memcache bypasses access restrictions
|Reported by:||miguel||Owned by:|
|Severity:||critical||Keywords:||security, access restrictions, memcache|
|Cc:||brett@…, steve@…, iamjanek@…||Difficulty:|
Description (last modified by cash)
With memcache active, the function get_entity($guid) can return objects not viewable by the current user, as long as the entity is found in memcache.
If it is not found, usual access restrictions work, because they are checked inside get_entity_as_row. This is with Elgg 1.7.7.
Change History (11)
comment:9 Changed 7 months ago by Steve Clay
- Resolution set to fixed
- Status changed from new to closed