KARL3

Affiliates can see members of communities they are not in

Bug #594131 reported by Jim B. Glenn on 2010-06-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL3	Fix Released	High	Chris Rossi	KARL3 m42

Bug Description

I just found a security-related bug. I just logged in as my Affiliate
account (https://karl.soros.org/profiles/nkatinborland/), which is a
member of 2 communities, with just a few other users. However, when I
click on the People tab, 195 users show up. If I click on user, who is
not a member of one of the two communities, then I get a forbidden
message, but affiliates should only see people in their communities in
the first place. I have tested with several other Affiliate accounts
with the same result. Please look into why Affiliate users are seeing
non-members of their communities.

Thanks,

Nat

Tags:

Revision history for this message

Jim B. Glenn (jimbglenn) wrote on 2010-06-14:

Nat reported in RT at: https://rt01.sixfeetup.com/Ticket/Display.html?id=80101

tags:

added: karl-support

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2010-06-15:

Hi Chris. I'm going to mark this as "High" just for the part about investigation. Once we learn more about it, we might change it to medium.

Changed in karl3:
importance:	Undecided → High
assignee:	nobody → Chris Rossi (chris-archimedeanco)
milestone:	none → m42

Chris Rossi (chris-archimedeanco) on 2010-06-15

Changed in karl3:
status:	New → In Progress

Revision history for this message

Chris Rossi (chris-archimedeanco) wrote on 2010-06-16:

This was caused by profiles added via GSA getting improperly indexed. I have fixed this bug and created an evolve script to reindex the people directory after the fix is applied.