[VUFIND-1143] Logged in users can manipulate other users' saved searches Created: 03/Feb/16 Updated: 03/Feb/16 Resolved: 03/Feb/16 |
|
Status: | Resolved |
Project: | VuFind® |
Components: | MyResearch |
Affects versions: | 2.5.1 |
Fix versions: | 2.5.2 |
Type: | Bug | Priority: | Major |
Reporter: | Demian Katz | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original estimate: | Not Specified |
Description |
A logged in user can save or unsave another user's searches by manipulating ID numbers in URLs. This has been fixed by these commits: https://github.com/vufind-org/vufind/commit/a1643a5ce691cdbf9b42259169755c9f96ffec36 https://github.com/vufind-org/vufind/commit/30f7f9b3b6e28eae5c9cd3da3379d7bf564483fe |