Closed (fixed)
Project:
Homebox - Individual user dashboards
Version:
6.x-1.0
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
1 Oct 2009 at 09:37 UTC
Updated:
3 Nov 2009 at 08:30 UTC
Jump to comment: Most recent file
Comments
Comment #1
jchatard commentedCan you please try with 1.0 stable version?
And if this persists, can give some more details about the kind of permissions you set so I can reproduce your config?
Thanks,
Jérémy
Comment #2
eme commentedActually my mistake : I am already using 1.0 stable version.
I set very simple permission : I create a block with permission for a role only. And when I connect with a user that does not have this role, he sees the block. I checked of course by putting the block in the sidebar, and it works normally (i.e. the user do not see the block in the sidebar but sees it in the homebox).
Comment #3
jchatard commentedDamned!
You're right eme!
Here's a patch that should correct this huge security bug!
Could you please test it under your configuration and let me know. If every thing is ok I'll put a security release.
Thanks for pointing out this!
Jérémy
Comment #4
jchatard commentedChanged priority to critical
Comment #5
eme commentedAfter the first tests, it seems it works well now for roles permissions.
It could be interesting to precise in the README or wherever that it works only with role permissions (and not with complex PHP permissions). Some people coud try to use the PHP to show homebox only in specific cases (like having two diffent roles at once).
It could be an interesting feature request to make this functionality, but I'm not sure it's "the" great feature. Only the PHP code validation is of interest of course, as the two other visibility choices (the per page choices) are of no use since HomBox has its own administration page to activate/desactivate.
Comment #6
jchatard commentedin 6.x1.1