View Issue Details

IDProjectCategoryView StatusLast Update
0018088phpList 3 applicationCampaign Managementpublic19-04-16 13:04
Reportersdanisch Assigned To 
Status resolvedResolutionfixed 
Product Version3.2.4 
Fixed in Version3.2.5 
Summary0018088: Resending Campaign to "all lists" and "all public lists" ignores user permissions
DescriptionWhen choosing to resend an already finished campaign, checking either "all lists" or "all public lists" queues the campaign into all/all public system wide available subscriber lists, instead of limiting the user to his/her own lists.

That way, a user can unknowingly send a campaign to lists they have no rights to do so.
Steps To Reproduce1. Create admin with limited permissions (campaigns/subscribers)
2. Create subscriber list as new user
3. Create and send campaign to new list
4. Under "Campaigns - List Campaigns - Send", view the campaign
5. Under "Send this campaign to another list:" check "all"/"all public"
6. Resend
TagsNo tags attached.



18-04-16 13:38

manager   ~0057618

I agree, this is serious, will test it myself now


18-04-16 14:33

manager   ~0057620

can't replicate it so far, but discussing it futher


18-04-16 14:50

reporter (110,464 bytes)


18-04-16 14:50

reporter   ~0057621

Added screenshots to show behavior. if you need any additional information, please let me know.


18-04-16 15:33

manager   ~0057624

Ok, so I have found it's only lists created since the first campaign was sent - so your how to reproduce is very accurate. If I do resend and the lists are older than the mail, it does not send.


18-04-16 15:37

manager   ~0057625

Though actually none of the subscribers received the mail on those lists - so many it's not so scary. I see you are in test mode, so I don't think you know if the mails were sent or not in your case?


18-04-16 16:09

reporter   ~0057626

In our case the mail sadly was sent. That was what brought me to investigate in the first place. The screenshots were made afterwards on our test-server, on which the test mode is enabled.

After examining what the editor in question did, the described scenario was the most likely as it yielded the wrong settings.

I'll dig a bit deeper tomorrow and see if i can come up with any more information.


19-04-16 07:20

reporter   ~0057634

I found the offending pieces of code in admin/message.php. Both queries lack the owner constraints.

A pull request with a suggested fix has been created at


19-04-16 10:02

manager   ~0057635



19-04-16 13:04

administrator   ~0057640