Project

General

Profile

Actions

Bug #2387

closed

Backend has no authorization checks

Added by beat over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
09 March 2011
Due date:
% Done:

100%

Estimated time:

Description

In backend, e.g. deleteGroup() function, there is no authorizations checks. Means also simple managers or anyone with a limited backend access can do anything in groupjive.

Imho, authorization checks are needed in backend too, with admins and super-admins having all rights.

Actions

Also available in: Atom PDF