Changeset:
835ed3018d6f
https://sourceforge.net/p/mrbs/hg-code/ci/835ed3018d6f05caa193a1a3f33e687d489d5918
Author:
Campbell Morrison <[email protected]>
Date:
Thu Mar 16 10:44:05 2017 +0000
Log message:
Made the default access level 1 for the report, search and view_entry pages to
prevent usernames being revealed. See SF Feature Requests #351.
diffstat:
web/mrbs_auth.inc | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diffs (21 lines):
diff -r 055b07e16a40 -r 835ed3018d6f web/mrbs_auth.inc
--- a/web/mrbs_auth.inc Wed Mar 15 18:02:06 2017 +0000
+++ b/web/mrbs_auth.inc Thu Mar 16 10:44:05 2017 +0000
@@ -18,11 +18,14 @@
$page_level['day.php'] = ($auth['deny_public_access']) ? 1 :
0;
$page_level['help.php'] = ($auth['deny_public_access']) ? 1 :
0;
$page_level['month.php'] = ($auth['deny_public_access']) ? 1 :
0;
-$page_level['report.php'] = ($auth['deny_public_access']) ? 1 :
0;
-$page_level['search.php'] = ($auth['deny_public_access']) ? 1 :
0;
-$page_level['view_entry.php'] = ($auth['deny_public_access']) ? 1 :
0;
$page_level['week.php'] = ($auth['deny_public_access']) ? 1 :
0;
+// These pages reveal usernames, which could be of assistance to someone
trying to
+// break into the system, so users are required to be logged in before viewing
them.
+$page_level['report.php'] = 1;
+$page_level['search.php'] = 1;
+$page_level['view_entry.php'] = 1;
+
// These pages are set to have a minimum access level of 1 as ordinary users
// should be able to access them because they will have read access and in some
// cases write access for their own entries. Where necessary further checks
are
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
