User is able to edit other people's location page if not set by the owner with +editlocation (it should display the forbidden page)
Bug #307561 reported by
papukaija
This bug report is a duplicate of:
Bug #262193: new location code allows anyone to set anyone else's location.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
New
|
Undecided
|
Unassigned |
Bug Description
For some reason I am able to display (and edit, but not tested) the editlocation-page without the forbidden message if I'm logged in and if the user in question hasn't set his/her location and timezone (with https:/
This bug is a security vulnerability or atleast someone could abuse the editlocation-page.
Here are two working examples:
https:/
https:/
--> Users who have set their location aren't affected by this bug, see for example:
https:/
description: | updated |
description: | updated |
security vulnerability: | yes → no |
visibility: | private → public |
To post a comment you must log in.