Users can remove imported entries from sbbslist
View options
I had a new user come by today, browse the sbbslist utility (?sbbslist browse), and was able to remove an imported entry that they did not create.
I reviewed the code, and it appears the can_edit function is supposed to prevent precisely this type of action, but it doesn't. Are the string returns supposed to be the same as a boolean false return?
function can_edit(bbs)
{
if(!bbs)
return "not an entry";
if(bbs.imported) {
return "Cannot edit imported entries";
}
if(bbs.entry.created
&& bbs.entry.created.by
&& bbs.entry.created.by.toLowerCase() != user.alias.toLowerCase()) {
return "Sorry, this entry was created by: " + bbs.entry.created.by;
}
return true;
}To me it looks like it's always returning true. Could open potential for sbbslist abuse.