Check permissions and remove user suspension code from admin/users/search.json.php

Bug #771614 reported by Richard Mansfield on 2011-04-27
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.2
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

At one time, users could be suspended directly from the admin user search page.

The json script which fetches search results still allows suspension of users, and doesn't check institutional admin permission.

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers