View Issue Details

IDProjectCategoryView StatusLast Update
0005944OXID eShop (all versions)4.04. Securitypublic2014-12-08 14:22
Reportersaulius.cepauskas 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionunable to reproduce 
Product Version4.8.6 / 5.1.6 
Target VersionFixed in Version 
Summary0005944: Missing rights check in core settings controllers for subshop admins.
DescriptionMissing rights check in core settings controllers. Sub shop admin can change most of all other shops settings.
Steps To ReproduceLogin as subshop admin.
Change request (url) parameter 'cl' to 'shop_config', add additional parameter 'oxid', which value lets say is '1' - main shop.
Change 'Bank account information (SEPA)' checkbox value for 'Use IBAN/BIC only'.
Login as malladmin, and check if parameter was changed for the main shop (#1).
TagsNo tags attached.
ThemeAll
BrowserAll
PHP Versionany
MySQL Versionany

Activities

jurate.baseviciene

2014-12-08 14:22

reporter   ~0010388

Hi,
We can't reproduce a such kind of behavior. If you will reproduce it please provide us more details and then please reopen this case.
We closed bug as unable to reproduce.

Best regards,
Jurate