/view/:guid route can expose plugin information to logged-out users
|Reported by:||ewinslow||Owned by:|
Description (last modified by ewinslow)
Just stumbled across this while testing a new routing system. I assume we don't want random people to be able to inspect what plugins are installed on a given site.
This is because plugins have access_id public by default. I don't see a way to get around that since plugins need to work for logged out users too, obviously.
Change History (16)
comment:5 Changed 14 months ago by ewinslow
- Difficulty set to easy
- Milestone changed from Needs Review to Elgg 1.8.4
comment:13 Changed 13 months ago by Brett Profitt
- Resolution set to fixed
- Status changed from new to closed