[cobalt-users] Re: MAJOR UNSOLVED BUG IN THE GUI(WEBPANEL) COBALT-550

[Oliver Wendt <hawkeye@xxxxxxxxxxxx>]

> I believe that you can only view the users, but can't change 
anything...am I right?
> Manny

Well, nonetheless complete lists of remote or local subscribers to 
mailing lists can be copied.
Opened doors for Spammers, don't you tink?

Ollie

> -----Original Message-----
> From: Oliver Wendt [mailto:hawkeye@xxxxxxxxxxxx]
> Sent: Friday, June 13, 2003 7:19 AM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: [cobalt-users] Re: MAJOR UNSOLVED BUG IN THE GUI(WEBPANEL)
> COBALT-550
>
>
> hi there,
>
> we just implemented a small check in ServerScriptHelper.php -
> just like this:
>
> $serverScriptHelper = new ServerScriptHelper();
> $cceClient = $serverScriptHelper->getCceClient();
> $user = $cceClient->getObject("User", array("name"=>$loginName));
> $groupnr = $user["site"];
> if ($loginName != "admin") { // admin may do whatever he's up to
>     if (isset($group)) { // checking url-parameters
>         if ($group != $groupnr) { // evil guys change those values
>         header("Location: http://www.somewhere.org";);
>         exit;
>         }
>     }
> }
>
> just give it a try ... it seems to work flawlessly.