| Project: | Apply for role |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
The module creates a path of user/userid/apply_for_role, but the check is missing in ensuring that the user on this page is the user himself. This lends any user with the "apply for role" permission to try random or even sequential numbers and try to submit the application for the user. The submission itself is still for the correct user but it would be better if the page doesn't show it as such.
To recreate this, simply enable the module, assign which roles are available to apply
http://local/admin/settings/apply_for_role
then give role access to anonymous or authenticated user to gain access
http://localhost/admin/user/access
once that is done, you can enter any valid userid in the path to apply_for_role to load the page like
http://local/user/2/apply_for_role
http://local/user/3/apply_for_role
To fix this simply append the uid check to line 94 so it is
'access' => user_access('apply for roles') && $user->uid == arg(1),
Comments
#1
Todo
#2
Todo: Verify that this error exists in 6.x-1.9.
#3
#4
This was fixed in 6 but apparently never backported to 5.
#5
Patch applied to 5 -dev and attached here.
#6
#7
Automatically closed -- issue fixed for 2 weeks with no activity.