Bug 449931: [SECURITY] Unprivileged users can approve/unapprove all the quips…

Bug 449931: [SECURITY] Unprivileged users can approve/unapprove all the quips (including bypassing moderation) - Patch by Robin H. Johnson <robbat2@gentoo.org> r/a=LpSolit

Bug 449931: [SECURITY] Unprivileged users can approve/unapprove all the quips…
c4c473b9 · lpsolit%gmail.com · bbc78743 · c4c473b9 · c4c473b9 · c4c473b9
Commit c4c473b9 authored Nov 06, 2008 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

quips.cgi quips.cgi +17 -5

user-error.html.tmpl template/en/default/global/user-error.html.tmpl +2 -0

quips.html.tmpl template/en/default/list/quips.html.tmpl +3 -0

No files found.
--- a/quips.cgi
+++ b/quips.cgi
@@ -88,6 +88,11 @@ if ($action eq "add") {
 }

 if ($action eq 'approve') {
+    $user->in_group('admin')
+      || ThrowUserError("auth_failure", {group  => "admin",
+                                         action => "approve",
+                                         object => "quips"});
+ 
    # Read in the entire quip list
    my $quipsref = $dbh->selectall_arrayref("SELECT quipid, approved FROM quips");
    
@@ -100,11 +105,18 @@ if ($action eq 'approve') {
    my @approved;
    my @unapproved;
    foreach my $quipid (keys %quips) {
-       my $form = $cgi->param('quipid_'.$quipid) ? 1 : 0;
-       if($quips{$quipid} ne $form) {
-           if($form) { push(@approved, $quipid); }
-           else { push(@unapproved, $quipid); }
-       }
+        # Must check for each quipid being defined for concurrency and
+        # automated usage where only one quipid might be defined.
+        my $quip = $cgi->param("quipid_$quipid") ? 1 : 0;
+        if(defined($cgi->param("defined_quipid_$quipid"))) {
+            if($quips{$quipid} != $quip) {
+                if($quip) { 
+                    push(@approved, $quipid); 
+                } else { 
+                    push(@unapproved, $quipid); 
+                }
+            }
+        }
    }
    $dbh->do("UPDATE quips SET approved = 1 WHERE quipid IN (" .
            join(",", @approved) . ")") if($#approved > -1);

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -146,6 +146,8 @@
      schedule
    [% ELSIF action == "use" %]
      use
+    [% ELSIF action == "approve" %]
+      approve
    [% END %]

    [% IF object == "administrative_pages" %]

--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -124,6 +124,9 @@
              </a>
            </td>
            <td>
+              <input type="hidden" name="defined_quipid_[% quipid FILTER html %]"
+                     id="defined_quipid_[% quipid FILTER html %]"
+                     value="1">
              <input type="checkbox" name="quipid_[% quipid FILTER html %]"
                     id="quipid_[% quipid FILTER html %]"
                     [%- ' checked="checked"' IF quips.$quipid.approved %]>