View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017801 | phpList 3 application | Subscriber Export | public | 27-08-15 17:08 | 16-01-19 09:46 |
Reporter | sd3pk3 | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 3.0.12 | ||||
Fixed in Version | 3.2.1 | ||||
Summary | 0017801: Export subscriber with limited rights exports whole subscriber database | ||||
Description | If you assign an admins with to just one list (with non-superadmin permission) but the permission to edit subscribers, he can go to "export subscribers" and export the whole subscriber database, not just his own list! | ||||
Steps To Reproduce | - Create Admin with permission "edit subscribers" - Create two lists with subscribers, list1 and list2 - Assign list1 to this admin - go to section export and export database - you will get the content of list1 and list2 | ||||
Additional Information | Hotfix: In my eyes, this is critical if you need a strict separation in between lists in terms of privacy/data protection. To fix this, I post on /lists/admin/export.php the following code: #Restricted area, access only for superadmin if (!$_SESSION['logindetails']['superuser']) { print $GLOBALS['I18N']->get('Sorry, this page can only be used by super admins'); return; } I put this code in the beginning of the files right under: <?php require_once dirname(__FILE__).'/accesscheck.php'; To restrict the export section to superadmins only, you have to modify the file /lists/admin/export.php Please note: This is not a real fix, ist just a hotfix which allows you to continue using the system and being fine in terms of privacy (if you need separated lists). A real fix should just allow to export the assigned list(s), nothing more. | ||||
Tags | No tags attached. | ||||