0005944: Missing rights check in core settings controllers for subshop admins.

ID	Project	Category	View Status	Date Submitted	Last Update

0005944	OXID eShop (all versions)	4.04. Security	public	2014-10-31 10:02	2014-12-08 14:22

Reporter	saulius.cepauskas	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	unable to reproduce
Product Version	4.8.6 / 5.1.6

Summary	0005944: Missing rights check in core settings controllers for subshop admins.
Description	Missing rights check in core settings controllers. Sub shop admin can change most of all other shops settings.
Steps To Reproduce	Login as subshop admin. Change request (url) parameter 'cl' to 'shop_config', add additional parameter 'oxid', which value lets say is '1' - main shop. Change 'Bank account information (SEPA)' checkbox value for 'Use IBAN/BIC only'. Login as malladmin, and check if parameter was changed for the main shop (#1).
Tags	No tags attached.

Theme	All
Browser	All
PHP Version	any
Database Version	any

jurate.baseviciene 2014-12-08 14:22 reporter ~0010388	Hi, We can't reproduce a such kind of behavior. If you will reproduce it please provide us more details and then please reopen this case. We closed bug as unable to reproduce. Best regards, Jurate