Security issue for new accounts [#154391]

Hi,

Great module! I just came accross a potential security issue in this module. I have a web site for members only where members join with invitation.

I observed when a new user wants to joint the site, and the account sign-up screen is presented, the RSVP tab is present and allows access to the RSVP events, even if the user is just a visitor. I only allowed access to 'Own RSVP's for members only.

See URL below (for user '0', unregistered visitors) the content of the RSVP is not denied, but the tab is displayed.
http://www.mysite.com/user/0/rsvp

I think this is a security bug.
Cheers,
Val

Comments

Comment #1

owahab commented 26 June 2007 at 06:35

Component:	Integration	» Code
Assigned:	Unassigned	» owahab

Comment #2

owahab commented 26 June 2007 at 06:59

Version:	5.x-1.x-dev	» 5.x-1.1
Status:	Active	» Fixed

A new release 1.1 will fix this issue among some other issues.
Thanks for your contribution.

Comment #3

owahab commented 1 July 2007 at 07:14

Status:

Fixed

» Closed (fixed)

Security issue for new accounts

Comments

Comment #1

Comment #2

Comment #3

News items

Our community

Documentation

Drupal code base

Governance of community