User should not be able set a parent for non-subscribed group

Posted by Amitaibu on November 9, 2007 at 6:27pm

Issue Summary

Example:
I have 2 groups A and B
User subscribed to grouped A
User adds a sub-group, but in Add form he's allowed to set the parent as group B.

This is an access violation, as some groups are moderated and don't allow edit them.

In my opinion, groups that user is not subscribed, shouldn't appear in the parents list.

Posted by ezra-g on February 25, 2008 at 10:16pm

This will be fixed shortly.

Posted by ezra-g on February 25, 2008 at 10:56pm

Status:

active

» fixed

Fixed in 5.x-3.0 with commit # 103133. thanks to Amitaibu for pointing this out.

Attached is a patch detailing the changes I made.

Attachment	Size
190837-security.patch	12.61 KB

Posted by Anonymous (not verified) on March 10, 2008 at 11:57pm

Status:

fixed

» closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

Project:	Subgroups for Organic groups
Version:	5.x-3.0-dev
Component:	Code
Category:	bug report
Priority:	critical
Assigned:	ezra-g
Status:	closed (fixed)