Project

General

Profile

Bug #905

BP Docs Authentication Issue

Added by Matt Gold about 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority name:
Low
Assignee:
Category name:
BuddyPress (misc)
Target version:
Start date:
2011-07-01
Due date:
% Done:

0%

Estimated time:

Description

Ran into a strange and convoluted bug with BP Docs:

1. Started out by being logged into the Commons through my admin account.
2. Visited a private group. Went to add a comment to a BP Doc.
3. While I was in the process of writing the comment, I wanted to test a bug -- a user in the thread said that she was unable to edit forum posts.
4. So, in another tab, I logged out of my admin account and logged in as "Test Student" - a regular account.
5. I tested things in the other tab. Didn't log out of the Test Student account.
6. I went back to the BP Doc tab where I had been logged in as admin and clicked the Submit button on my BP Doc comment.
7. Upon hitting submit, I saw a message telling me that this is a hidden group and that one needs to be a member to see/post.
8. The message was actually posted to the BP Doc under the "Test Student" account even though that account is not part of the hidden group.

I don't expect that many people will run into this bug, but I thought I'd report it.

History

#1 Updated by Boone Gorges about 11 years ago

  • Priority name changed from Normal to Low
  • Target version changed from 1.2.4 to 1.3

Thanks for the report. I've opened a bug ticket where I keep track of BP Docs bugs: https://github.com/boonebgorges/buddypress-docs/issues/108. I have a feeling that this is probably an issue present in WP blog comments as well - if you load a blog post, open another tab where you log out then log in as a new user, and go back to the first tab and submit a comment, it'll probably be posted by the currently logged in user. It's only a "bug" in the case of BP Docs because some Docs are private.

It's not a real security issue, as it does not allow unauthorized users to read or alter any existing private content, but only to leave what end up being extraneous comments. I'll have a look when I get a chance.

#3 Updated by Boone Gorges almost 11 years ago

  • Status changed from Assigned to Resolved

Also available in: Atom PDF