Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 1.3 RC1
Affects Version/s: 1.1 M3
Component/s: Old Core
Labels:
None

Similar issues:

Description

In some plugins (at least LDAPPlugin and FeedsPlugin) there is rights check in the PluginAPI but no rights check in the getPlugin() function.
So anyone will be able to use plugin's fonctions directly, bypassing de PluginAPI checks.
A fix could be to put rights checks in the getPlugin() function or directly inside plugins.
But I think the best choice would be to remove the getPlugin() from the PluginAPI, as it's shouldn't be allowed calling plugins directly from a groovy or velocity page.
WDYT?

Attachments

Activity

People

Assignee:: Sergiu Dumitriu

Reporter:: Raffaello Pelagalli

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 01/Aug/07 09:34

Updated:: 02/Dec/22 10:43

Resolved:: 25/Feb/08 22:08

Date of First Response:: 27/Aug/07 6:40 PM