| Q |
A |
| Bug? |
yes |
| New Feature? |
no |
| Sulu Version |
2.5.13 |
| Sulu Comment Bundle Version |
2.0.0 |
| Browser Version |
Google Chrome Version 123.0.6312.86 (Official Build) (64-bit) |
Actual Behavior
It is possible to manipulate or delete existing comments / threads by simply sending post requests to the WebsiteController:
e.g. https://localhost:8000/threads/b69cc46e-9527-48b5-a98d-3a3634c41f05/comments/2
Neither the WebsiteController nor the CommentManager validates the current user with the creator of the comment.
Expected Behavior
Only the creator of the comment should be able to delete or edit the comment.
Steps to Reproduce
- Create a comment on the website frontend
- Send post or delete request with threadId and commentId (you can find them in the html code on the frontend)
Actual Behavior
It is possible to manipulate or delete existing comments / threads by simply sending post requests to the WebsiteController:
e.g. https://localhost:8000/threads/b69cc46e-9527-48b5-a98d-3a3634c41f05/comments/2
Neither the WebsiteController nor the CommentManager validates the current user with the creator of the comment.
Expected Behavior
Only the creator of the comment should be able to delete or edit the comment.
Steps to Reproduce