Danbooru

Unprivileged account exploit

Posted under General

I logged out and did some testing on this issue. I *think* it can be fixed by not even allowing an unprivileged account to load a page with the forbidden tags.

I mean, when fetching a post, check if the user is privileged. If not, redirect him to a "lol no" blank page.

_cf said:
I *think* it can be fixed by not even allowing an unprivileged account to load a page with the forbidden tags.

You have the right idea, but you don't need to load a page to edit tags. You'd need to check permissions a little more thoroughly than that.

RaisingK said:
You have the right idea, but you don't need to load a page to edit tags. You'd need to check permissions a little more thoroughly than that.

If this means that the system doesn't validate privileged status when it receives a post from /post/update/ , then it's another door to be closed. In the case: "unprivileged accounts can't touch the forbidden tags"

1