• canyonknight's avatar
    Fix account editing and hijacking vulnerability · 87fe4701
    canyonknight authored
    Checks are in place to avoid users getting account editing forms
    they shouldn't have access to. The appropriate checks before
    editing the account in the backend are not in place.
    This vulnerability allows a user to craft malicious POST data to
    edit other user accounts, thereby allowing account hijacking.
    Add a new flexible function can_edit_account() to determine if
    a user has appropriate permissions. Run the permission check before
    processing any account information in the backend.
    Signed-off-by: default avatarcanyonknight <canyonknight@gmail.com>
    Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>