View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0018088||phplist application||Message Management||public||18-04-16 12:54||19-04-16 13:04|
|Target Version||Fixed in Version||3.2.5|
|Summary||0018088: Resending Campaign to "all lists" and "all public lists" ignores user permissions|
|Description||When choosing to resend an already finished campaign, checking either "all lists" or "all public lists" queues the campaign into all/all public system wide available subscriber lists, instead of limiting the user to his/her own lists.|
That way, a user can unknowingly send a campaign to lists they have no rights to do so.
|Steps To Reproduce||1. Create admin with limited permissions (campaigns/subscribers)|
2. Create subscriber list as new user
3. Create and send campaign to new list
4. Under "Campaigns - List Campaigns - Send", view the campaign
5. Under "Send this campaign to another list:" check "all"/"all public"
|Tags||No tags attached.|
||I agree, this is serious, will test it myself now|
||can't replicate it so far, but discussing it futher|
screenshots.zip (110,464 bytes)
||Added screenshots to show behavior. if you need any additional information, please let me know.|
||Ok, so I have found it's only lists created since the first campaign was sent - so your how to reproduce is very accurate. If I do resend and the lists are older than the mail, it does not send.|
||Though actually none of the subscribers received the mail on those lists - so many it's not so scary. I see you are in test mode, so I don't think you know if the mails were sent or not in your case?|
In our case the mail sadly was sent. That was what brought me to investigate in the first place. The screenshots were made afterwards on our test-server, on which the test mode is enabled.
After examining what the editor in question did, the described scenario was the most likely as it yielded the wrong settings.
I'll dig a bit deeper tomorrow and see if i can come up with any more information.
I found the offending pieces of code in admin/message.php. Both queries lack the owner constraints.
A pull request with a suggested fix has been created at