ID:79957
 
Not a bug
BYOND Version:N/A (Website Bug)
Operating System:Windows XP Home
Web Browser:Firefox 3.5.2
Status: Not a bug

This is not a bug. It may be an incorrect use of syntax or a limitation in the software. For further discussion on the matter, please consult the BYOND forums.
Descriptive Problem Summary:
When submitting a bug, one can edit the Author field, so somebody could submit a bug under a foreign key.

This report has been submitted by me (with the friendly authorisation of COnfuesSHhg), but is set under his name and added to his 'My Issues', together with edit rights for his key.
(The credit for the bug should still go to him though, if it is one.)

Numbered Steps to Reproduce Problem:
Report a bug and change the Author field.

Expected Results:
A security alert of some sort and the server not accepting the report.

Actual Results:
The server does not seem to check if the key that is logged in on the homepage and the Author field correlate, so it just sets the bug-report under a foreign key.

Does the problem occur:
Every time? Or how often? Every time
In other user accounts? Yes
On other computers? N/A

Workarounds:
The server should check if Author and logged in key are identical and only then allow the report.
I don't think there's any security breach here as the change-author functionality is intentional. For normal blog posts, only top-level admins have that power, but for bug trackers the ability to change the author was added deliberately for guild admins, of which you are one. This is something we may want to revisit if bug trackers are opened up to the public, but for these purposes I'm okay with it.

However if I'm missing something about this report that does point to a security issue, like perhaps regular users having access to that author-changing ability, that would be quite helpful to know.
I was unaware of the special treatment of guild administrators.
I am sorry, please disregard this issue and thank you for the quick reply ;)