yaun
- Posts: 3
- Topic Created: Mon Jan 16 11:29:41 2012 +0100
I discovered that the ThemeEditor that is installable with 2.5b1 has a potential security risk: Guests can edit your files!
To fix: in modules/theme_editor/theme_editor.php
add:
public function admin_theme_editor($admin) {
if (!Visitor::current()->group->can("change_settings"))
show_403(__("Access Denied"), __("You do not have sufficient privileges to change settings."));
to admin_theme_editor
Arian
Hey yaun, welcome to Chyrp.
Great catch mate, will push a fix commit right away.
Thanks for reporting it though, much appreciated.