With a small client-side modification to the AJAX code (in reptag_helper.js) it is possible to add/edit/delete tags of other users. The ajax callback does not bypass the access restrictions of the Drupal site nor does it allow the user to list other users tags. However I just committed a patch which adds a check to ensure that a user can only access its own tags.

Comments

profix898’s picture

profix898 commented
Title: its possible to modify other users data using ajax » modify other users data using ajax
Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)