Skip to:
Content

BuddyPress.org

Opened 16 years ago

Closed 16 years ago

#52 closed defect (bug) (fixed)

Backend admin security issues

Reported by: sollaires's profile sollaires Owned by:
Milestone: Priority: major
Severity: Version:
Component: Keywords:
Cc:

Description

I'll try to get better repro steps, but I just was able to change some of the global buddypress settings as a non-admin user. It requires the user to know some URLs (I found it because I had a tab open on some of the site admin options as an admin, logged out, logged in as a user and I was still able to see and manipulate the BuddyPress options).

I believe the solution is to add security checks both to the add_menu actions as well as to the pages themeselves to make sure the user has the proper priviliges to access and change the contents.

Change History (2)

#1 @sollaires
16 years ago

Probably just need to add proper use of is_site_admin() to those pages as well as to the calls that add menus to the admin side.

#2 @apeatling
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

fixed in rev 309. These settings have been removed as they are no longer relevant.

Note: See TracTickets for help on using tickets.