User can change own rank
Bug #247484 reported by
KyleO
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
phpns |
Fix Released
|
Medium
|
KyleO |
Bug Description
Users can change their own rank, elevating themselves to whatever predefined levels available.
This can be done the easy way, but just selecting the current user the client is logged in as, and simply modifying it.
Or, a more elaborate way, is to spoof the post data.
This is fixed in the newest update. Patch released, including all patches, can be found in this zip file- http:// kyleosborn. com/phpns/ patches/ 2.2.3.patch. zip
Fix includes disabling rank option list when modifying own user profile, and making a check right before updating the database.