[M-17] startConversation (POST) doesn't check recipient role >= 2

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/MessageController.php:519-593

Bug: Banned (role 1) user can receive messages via direct POST.

Fix: Fetch recipient and assert role before proceeding.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:52pm

Resolved.

MessageController::startConversation now fetches the recipient and asserts role >= 2 before proceeding (src/Controllers/MessageController.php). A direct POST with a banned user's id (role=1) or a non-existent id now gets the generic "Unable to start conversation." flash instead of creating a conversation that the recipient can't participate in.

Locking this thread.

Related Discussions

[L-9] handleVerifyEmail doesn't regenerate session
Security Issues · 0 replies · 1 views
[L-8] checkUsername session-based limit near-useless without cookies
Security Issues · 0 replies · 1 views
[M-27] checkAndLockout window equals lockout duration (infinite burst possible)
Security Issues · 0 replies · 1 views
[M-25] ForumMember::accept doesn't check current role
Security Issues · 0 replies · 2 views
[M-6] UrlValidator::safeRedirectPath doesn't URL-encode fragment
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy