Unprivileged account exploit

If you can reach a post that's tagged loli or shota, it's possible for unprivileged accounts to remove the offending tag with web developer tools and then submit without it, making themselves able to view it. Possible to fix?

There was a simiar bug that I believe there was a trac submitted for this could probably be added but I can't find the ticket because searching track just gave me a 404.

Log said:
There was a simiar bug that I believe there was a trac submitted for this could probably be added but I can't find the ticket because searching track just gave me a 404.

trac #1323?

Yeah, that was the one I was thinking of.

There's also a Greasemonkey script for "viewing of loli/shota images on non-upgraded accounts". But since it's a script I don't know if we can do anything to stop it...

I logged out and did some testing on this issue. I *think* it can be fixed by not even allowing an unprivileged account to load a page with the forbidden tags.

I mean, when fetching a post, check if the user is privileged. If not, redirect him to a "lol no" blank page.

_cf said:
I logged out and did some testing on this issue. I *think* it can be fixed by not even allowing an unprivileged account to load a page with the forbidden tags.

This seems like a good solution.

_cf said:
I *think* it can be fixed by not even allowing an unprivileged account to load a page with the forbidden tags.

You have the right idea, but you don't need to load a page to edit tags. You'd need to check permissions a little more thoroughly than that.

RaisingK said:
You have the right idea, but you don't need to load a page to edit tags. You'd need to check permissions a little more thoroughly than that.

If this means that the system doesn't validate privileged status when it receives a post from /post/update/ , then it's another door to be closed. In the case: "unprivileged accounts can't touch the forbidden tags"