Skip to Main Content
Search Ideas
mojomojo
The Catalyst-powered wiki
Categories
All (44)
Features (39)
Bugs (3)
Website (2)
Subscribe
44 Ideas, 57 Comments, 407 Votes »
« Back To mojomojo
Delete of attachments doesn't require authentication
Revise
2
Completed
I found all of my attachments gone on my site after a day or so's crawl by google.
With some testing I found that it doesn't care if you are logged in or not, anyone can delete any attachment.
I also notice that all of the images on the mojomojo.org site seem to be missing :-/
Idea # 65
Bugs
,
attachment img auth
Moderator Comments
Fixed by MojoMojo 0.999033, now on CPAN.
Comments
Status Changed from Active to In Progress.
Security issue fixed by http://bit.ly/5t3by
Need to
* restore the attachments on MojoMojo.org
* push to CPAN
Although I fixed this issue on Windows, tests fail on Ubuntu. Looking into it.
Note that attachments are NOT physically deleted; merely their entry in the database is deleted, but you can find them in the uploads/ folder.
Also be warned that the version currently on CPAN, MojoMojo-0.999032, exhibits the issue.
The latest known version that does not have the attachment deletion is MojoMojo-0.999031.
Status Changed from In Progress to Complete.
Email Address
Have an account? -
Login
Notify me via Email when someone responds or action is taken on this Topic/Idea
Activity Chart
Share
Email
Twitter
Users Tracking (1)
Copyright © 2009
Home
|
Contact
|
Widgets
|
Developers
Close
Close
Revise
Completed
Close