Preview of a listing can be viewed and edited by anybody
davoraltman opened this issue · comments
What I Expected To Happen
The preview of a listing on the frontend should be restricted to the user who created it.
What Happened Instead
However, it can be viewed and edited by anyone.
Steps to Reproduce the Bug
Create a new listing and click on preview. Copy the URL of that page. Open page source and look for job_id and its value. Append ?job_id=xxxx (xxxx being the number of the job_id from the page source) and visit the URL in an incognito window/another browser. You'll be able to view and edit the preview.
It's due to this line setting the protected $this->job_id from $_REQUEST['job_id'] without any other verifications
Specifically setting the value to 0 may cause issues down the line because now you're requiring the cookie to be set .... and there may be instances where the cookie isn't going to be set, and probably cause issues.
Nobody replied to my comment (which seems to be common) so there was no discussion about this ... but if anything it should be checking with the built in function to see if user can edit the listing, and THEN set it to 0 if they can't .... just like it does when editing a listing
@donnchawp can you take a look at this when you have time? Cheers :)
@tripflex Thanks!
@tripflex - thanks for checking that. You're right, that it should use the built in function to check if the user has authority to edit the job.