Person.addLanguage and Person.removeLanguage permissions are far too open
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Ioana Lasc |
Bug Description
If you can see a person at all, then you can edit their language preferences:
$ curl -s https:/
$ curl -d ws.op=addLanguage -d language=
null
$ curl -s https:/
"de"
$ curl -d ws.op=removeLan
null
$ curl -s https:/
These operations should surely be in `IPersonEditRes
Changed in launchpad: | |
status: | Triaged → In Progress |
assignee: | nobody → Ioana Lasc (ilasc) |
Changed in launchpad: | |
status: | In Progress → Fix Released |
information type: | Private Security → Public Security |