Disabled features are still accessible by visiting their URI directly
Bug #618634 reported by
Andrew Nicols
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Melissa Draper |
Bug Description
If I disable a plugin (e.g. Resume), then the menu items for it disappear (correctly).
However, if I visit the URI for that plugin (e.g. /artefact/resume) on my site, I can still access, view, modify and submit information stored within the artefact.
Marking this as a security vulnerability because the plugin has been disabled but this is being circumvented.
Changed in mahara: | |
status: | New → Opinion |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in mahara: | |
importance: | Undecided → Medium |
milestone: | none → 1.4.0 |
status: | Opinion → Confirmed |
Changed in mahara: | |
assignee: | nobody → Hugh Davenport (hugh-catalyst) |
Changed in mahara: | |
assignee: | Hugh Davenport (hugh-catalyst) → nobody |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Here's a potential fix. I haven't double-checked that all plugin pages define the type and name we test against here, but from a quick think about it, it's the only way which abstracts things as much as possible.
The only bit I don't like is that we call table_exists, which requires ddl.php which adds more bloat.