Avatar for squadette
I've just fixed a medium-level security bug in Mokum. It could NOT be used for unauthorized access to private posts. The scenario was as following: a) other user sees your post as usual (because your feed is public or user is subscribed to your private feed); b) other user favs or hides that post; c) you either go private or you unsubscribe that user from your feed, so that this post should not be visible to them any more); d) other user could still see your post on their "my favs" or "hidden entries" page. They could see post text and up to five comments (or first and the last comment if there were more than five comments). Post was not accessible from the post page or from any other page. Many thanks to @inque for reporting this error. I want to sincerely express my apologies for this error.
The first part of this bug (related to hides) was present since end of August 2015, the second part (related to favs) — since end of December 2015. Both pages are used quite rarely, only 8 page objects of affected type had to be rebuilt (out of 26000+ total). ‎· псы в рапиде
1 2 3 4 5 6 7 8 9 10