Bug #905
closedBP Docs Authentication Issue
0%
Description
Ran into a strange and convoluted bug with BP Docs:
1. Started out by being logged into the Commons through my admin account.
2. Visited a private group. Went to add a comment to a BP Doc.
3. While I was in the process of writing the comment, I wanted to test a bug -- a user in the thread said that she was unable to edit forum posts.
4. So, in another tab, I logged out of my admin account and logged in as "Test Student" - a regular account.
5. I tested things in the other tab. Didn't log out of the Test Student account.
6. I went back to the BP Doc tab where I had been logged in as admin and clicked the Submit button on my BP Doc comment.
7. Upon hitting submit, I saw a message telling me that this is a hidden group and that one needs to be a member to see/post.
8. The message was actually posted to the BP Doc under the "Test Student" account even though that account is not part of the hidden group.
I don't expect that many people will run into this bug, but I thought I'd report it.
Updated by Boone Gorges over 13 years ago
- Priority name changed from Normal to Low
- Target version changed from 1.2.4 to 1.3
Thanks for the report. I've opened a bug ticket where I keep track of BP Docs bugs: https://github.com/boonebgorges/buddypress-docs/issues/108. I have a feeling that this is probably an issue present in WP blog comments as well - if you load a blog post, open another tab where you log out then log in as a new user, and go back to the first tab and submit a comment, it'll probably be posted by the currently logged in user. It's only a "bug" in the case of BP Docs because some Docs are private.
It's not a real security issue, as it does not allow unauthorized users to read or alter any existing private content, but only to leave what end up being extraneous comments. I'll have a look when I get a chance.
Updated by Boone Gorges over 13 years ago
- Target version changed from 1.3 to 1.2.4
Updated by Boone Gorges over 13 years ago
- Status changed from Assigned to Resolved