[H-19] CURATOR_ID = 123 hard-coded — FK violation if user missing

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Models/AuditLog.php:33, 149-157

Bug: Audit forum post uses a fixed user ID with no existence check.

Fix: Verify curator exists before postToForum; skip forum post gracefully if missing.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:40pm

Resolved.

AuditLog::postToForum now caches an existence check for CURATOR_ID (user 123) alongside the existing log-forum check. If the curator row is missing the forum post is skipped gracefully (the underlying audit_log row was already written in record()). Prevents a FK-violation from terminating the request mid-action after the audit row has already persisted.

Locking this thread.

Related Discussions

New-user onboarding: pick retro platforms, auto-subscribe to those forums
Important Alerts · 0 replies · 0 views
[L-8] checkUsername session-based limit near-useless without cookies
Security Issues · 0 replies · 1 views
[L-5] MaintenanceMiddleware bypass uses unvalidated $_SESSION['user_id']
Security Issues · 0 replies · 1 views
[L-4] AdminMiddleware re-queries user instead of using AuthMiddleware's validation
Security Issues · 0 replies · 1 views
[M-28] UserCredit::history interpolates LIMIT/OFFSET as strings
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy