View Issue Details

Jump to NotesJump to History
This issue affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
14827Bug reportsSecuritypublic2019-04-30 11:332021-07-12 15:11
Reporterbewi Assigned ToLouisGac 
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Fixed in Version5.x 
Summary14827: admin without rights can access pages
Description

admins with limited rights (non superadmins, no access to config area) are able to access the following directories even though they were not linked anywhere in the application:
/index.php/admin/pluginmanager/sa/index
/index.php/admin/menus/sa/view
/index.php/admin/menuentries/sa/view

The users can access the directories, but they can neither add anything to them, nor edit

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database type & version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Users monitoring this issue

There are no users monitoring this issue.

Activities

LouisGac

LouisGac

2019-04-30 15:27

developer   ~51702

access directory? I'm not sure to understand. what do you see exactly?
LouisGac

LouisGac

2019-04-30 15:30

developer   ~51703

ok I can reproduce (direct access to the url works, the view is displayed, even if no action on the page is possible)
c_schmitz

c_schmitz

2021-07-12 15:11

administrator   ~65381

Hello bewi,
I checked this with the latest version and could not reproduce, so this is most likely fixed for good.
Therefore, I am closing this issue. If you still can reproduce the issue using the latest version, please feel free to re-open the issue.
Thank you!

c_schmitz

Issue History

Date Modified Username Field Change
2019-04-30 11:33 bewi New Issue
2019-04-30 13:45 c_schmitz Assigned To => LouisGac
2019-04-30 13:45 c_schmitz Status new => assigned
2019-04-30 13:46 c_schmitz Priority none => urgent
2019-04-30 13:46 c_schmitz Reproducibility have not tried => always
2019-04-30 15:27 LouisGac Note Added: 51702
2019-04-30 15:30 LouisGac Note Added: 51703
2020-03-05 14:03 cdorin Priority urgent => normal
2020-03-05 14:03 cdorin Status assigned => confirmed
2021-07-12 15:11 c_schmitz Status confirmed => resolved
2021-07-12 15:11 c_schmitz Resolution open => fixed
2021-07-12 15:11 c_schmitz Fixed in Version => 5.x
2021-07-12 15:11 c_schmitz Status resolved => closed
2021-07-12 15:11 c_schmitz Note Added: 65381