Uploaded image for project: 'InvoicePlane'
  1. InvoicePlane
  2. IP-443

Guest can view all generated invoices

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: v1.4.8
    • Fix Version/s: v1.4.9
    • Labels:
      None
    • Environment:

      Server:
      Debian 8.4
      Apache 2.4.10
      PHP 5.6.19
      MariaDB 10.0

      Client:
      Firefox 48.0

      Description

      A guest user is able to view all generated PDF invoices by changing the URL to another PDF ID.
      For example:
      http://hostname/guest/invoices/generate_pdf/67 is a PDF the guest is allowed to see, but by changing the URL to something like:
      http://hostname/guest/invoices/generate_pdf/68, the guest is able to see a generated PDF for a user which was not added to the guest.
      I have not tested this for quotes.

        Gliffy Diagrams

          Attachments

            Structure

              Activity

                People

                • Assignee:
                  kovah Kovah
                  Reporter:
                  phochs phochs
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel