[M-25] ForumMember::accept doesn't check current role

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Models/ForumMember.php:74-82

Bug: Banned user (role=1) can still accept a pending invite.

Fix: Caller (controller) must check $user['role'] >= 2 before calling.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:55pm

Resolved.

ForumMembershipController::accept now rejects callers with role < 2 before calling ForumMember::accept (src/Controllers/ForumMembershipController.php). A user banned after an invitation was issued can no longer accept it and gain membership in a private forum.

Locking this thread.

Related Discussions

[L-9] handleVerifyEmail doesn't regenerate session
Security Issues · 0 replies · 0 views
[L-8] checkUsername session-based limit near-useless without cookies
Security Issues · 0 replies · 0 views
[M-27] checkAndLockout window equals lockout duration (infinite burst possible)
Security Issues · 0 replies · 0 views
[M-17] startConversation (POST) doesn't check recipient role >= 2
Security Issues · 0 replies · 0 views
[M-6] UrlValidator::safeRedirectPath doesn't URL-encode fragment
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy