Opened 16 years ago
Closed 16 years ago
#52 closed defect (bug) (fixed)
Backend admin security issues
Reported by: | sollaires | Owned by: | |
---|---|---|---|
Milestone: | Priority: | major | |
Severity: | Version: | ||
Component: | Keywords: | ||
Cc: |
Description
I'll try to get better repro steps, but I just was able to change some of the global buddypress settings as a non-admin user. It requires the user to know some URLs (I found it because I had a tab open on some of the site admin options as an admin, logged out, logged in as a user and I was still able to see and manipulate the BuddyPress options).
I believe the solution is to add security checks both to the add_menu actions as well as to the pages themeselves to make sure the user has the proper priviliges to access and change the contents.
Probably just need to add proper use of is_site_admin() to those pages as well as to the calls that add menus to the admin side.