Task #187778 chore: Fix security issue on plugin users #36

tushar33 · 2022-09-01T09:38:27Z

No description provided.

coolbung · 2022-09-06T03:31:52Z

src/users/user.php

+		$xidentifier = $input->server->get('HTTP_X_IDENTIFIER', '', 'String');
+		$user        = Factory::getUser();
+
+		if (!$user->authorise('core.admin') && $id != $user->id)


Should this be hardcoded to core.admin ? I suggest you check for the com_users create & edit permission based on if it's a create or edit user case.

Task #187778 chore: Fix security issue on plugin users

aa30770

coolbung reviewed Sep 6, 2022

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Task #187778 chore: Fix security issue on plugin users #36

Task #187778 chore: Fix security issue on plugin users #36

tushar33 commented Sep 1, 2022

coolbung Sep 6, 2022

Task #187778 chore: Fix security issue on plugin users #36

Are you sure you want to change the base?

Task #187778 chore: Fix security issue on plugin users #36

Conversation

tushar33 commented Sep 1, 2022

coolbung Sep 6, 2022

Choose a reason for hiding this comment