The module creates a path of user/userid/apply_for_role, but the check is missing in ensuring that the user on this page is the user himself. This lends any user with the "apply for role" permission to try random or even sequential numbers and try to submit the application for the user. The submission itself is still for the correct user but it would be better if the page doesn't show it as such.

To recreate this, simply enable the module, assign which roles are available to apply
http://local/admin/settings/apply_for_role

then give role access to anonymous or authenticated user to gain access
http://localhost/admin/user/access

once that is done, you can enter any valid userid in the path to apply_for_role to load the page like
http://local/user/2/apply_for_role
http://local/user/3/apply_for_role

To fix this simply append the uid check to line 94 so it is

'access' => user_access('apply for roles') && $user->uid == arg(1),

CommentFileSizeAuthor
#5 apply_for_role-374131.patch809 bytesSoren Jones

Comments

Soren Jones’s picture

Soren Jones commented
Title: apply for role should check uid before allowing access to the page » Apply for role should check uid before allowing access to the page
Version: 5.x-1.8 » 5.x-1.x-dev

Todo

Soren Jones’s picture

Soren Jones commented

Todo: Verify that this error exists in 6.x-1.9.

Soren Jones’s picture

Soren Jones commented
Version: 5.x-1.x-dev » 6.x-1.9
Soren Jones’s picture

Soren Jones commented
Version: 6.x-1.9 » 5.x-1.x-dev
Priority: Normal » Critical

This was fixed in 6 but apparently never backported to 5.

Soren Jones’s picture

Soren Jones commented
StatusFileSize
new apply_for_role-374131.patch809 bytes

Patch applied to 5 -dev and attached here.

Soren Jones’s picture

Soren Jones commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.