sms_sendtophone_page() checks if the user has set a number but does not check if the number has been confirmed. Thus, users effectively have the 'send to any number' permission. This should be fixed. I've prepared a patch. This patch also includes my trivial fixes from #555922: Unreachable code: "You need need to setup your mobile phone to send messages" and #556002: Typo: repetition of "need" in sms_sendtophone_page().

CommentFileSizeAuthor
sms_sendtophone_page_fixes.patch1.38 KBjpmckinney

Comments

alone boy’s picture

alone boy commented

fine

univate’s picture

univate commented
Status: Needs review » Fixed

This fix committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit ac725ef on 6.x-2.x, 8.x-1.x by univate: 
    #556016 by jpmckinney: sms_sendtophone checks for number but doesn't...