block/add doesn't check for access before generating list [#1839966]

The administrative page, block/add, doesn't check whether or not a user has access to create a bean of a specific type before generating the list.

Comment	File	Size	Author
#1	bean-permissions-1839966-1.patch	1.01 KB	ultimateboy

Comments

ultimateboy commented 14 November 2012 at 00:07

Status:

Active

» Needs review

Status	File	Size
new	bean-permissions-1839966-1.patch	1.01 KB

indytechcook commented 19 November 2012 at 19:59

Priority:	Normal	» Critical
Status:	Needs review	» Fixed

I'd almost consider this a security issue.

3 December 2012 at 20:01

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.