Launchpad itself

User is able to edit other people's location page if not set by the owner with +editlocation (it should display the forbidden page)

Bug #307561 reported by papukaija on 2008-12-12

This bug report is a duplicate of: Bug #262193: new location code allows anyone to set anyone else's location. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	New	Undecided	Unassigned

Bug Description

For some reason I am able to display (and edit, but not tested) the editlocation-page without the forbidden message if I'm logged in and if the user in question hasn't set his/her location and timezone (with https://launchpad.net/~user-with-no-locations-set/+editlocation ).

This bug is a security vulnerability or atleast someone could abuse the editlocation-page.

Here are two working examples:
https://launchpad.net/~peruus/+editlocation
https://launchpad.net/~dpgravjob/+editlocation

--> Users who have set their location aren't affected by this bug, see for example:
https://launchpad.net/~mvo/+editlocation

See original description

papukaija (papukaija) on 2008-12-12

description:	updated
description:	updated

Curtis Hovey (sinzui) on 2012-05-09

security vulnerability:	yes → no
visibility:	private → public

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #262193 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.