Status: fully resolved

    banned user able to post comment

    Issue Number:
    81
    Severity:
    Major
    Description:

    crafting a URL like
    http://starfrontiers.us/comment/reply/952#comment-form
    JoeClient was able to post a comment, even though after clicking submit on the post
    he got the Access Restricted

    see this node, JoeClient is banned
    http://starfrontiers.us/node/952
    Comments:

    CleanCutRogue's picture
    CleanCutRogue
    September 17, 2007 - 5:52pm
    How thoroughly did you test.... was forum comments the only thing he was able to do?  Was there any other feature he was able to do that he shouldn't have?  I thought I made it so he couldn't even look at a forum post, much less reply to one.
    3. We wear sungoggles during the day. Not because the sun affects our vision, but when you're cool like us the sun shines all the time.

    -top 11 reasons to be a Yazirian, ShadowShack


    Anonymous's picture
    w00t (not verified)
    September 17, 2007 - 6:37pm
    Action Result
    Notes
    Click on Project
    Denied
     
    craft URL of any part of the Project
    Denied
     
    craft URL to add a comment
    node viewable and commentable
    http://starfrontiers.us/comment/reply/952#comment-form
    craft URL to add a child book page
    Denied
    http://starfrontiers.us/node/add/parent/1011
    support issues in project
    Viewable
    can't create issue, but can see issues and comment

    CleanCutRogue's picture
    CleanCutRogue
    September 19, 2007 - 9:16am
    Looks like all is well now.  It was an issue with project detection, not user rejection... works now it seems.
    3. We wear sungoggles during the day. Not because the sun affects our vision, but when you're cool like us the sun shines all the time.

    -top 11 reasons to be a Yazirian, ShadowShack


    Anonymous's picture
    w00t (not verified)
    September 19, 2007 - 11:00am
    CleanCutRogue wrote:
    Looks like all is well now. It was an issue with project detection, not user rejection... works now it seems.


    Do I need to retest?



    CleanCutRogue's picture
    CleanCutRogue
    September 19, 2007 - 11:04am
    w00t wrote:
    CleanCutRogue wrote:
    Looks like all is well now. It was an issue with project detection, not user rejection... works now it seems.


    Do I need to retest?


    I tested the heck out of it (even found one you missed... but like a couple of yours it was a very unlikely exploit a user would try).  I don't think you need to, but you can if you run outta stuff to testSmile
    3. We wear sungoggles during the day. Not because the sun affects our vision, but when you're cool like us the sun shines all the time.

    -top 11 reasons to be a Yazirian, ShadowShack