Aayush
Well-known member
- Affected version
- 2.0.2
Steps to reproduce:-
1. Create a new user.
2. Load his profile in a browser.
3. Set the permission of his user group for the following "Post new profile posts".
4. Post in the already present text box and the message is posted on the profile.
Although the profile box is hidden when the page is refreshed, anybody would know about the form action endpoint and can create unlimited profile posts. There is a method canPostOnProfile() but it hasn't been used in code yet.
1. Create a new user.
2. Load his profile in a browser.
3. Set the permission of his user group for the following "Post new profile posts".
4. Post in the already present text box and the message is posted on the profile.
Although the profile box is hidden when the page is refreshed, anybody would know about the form action endpoint and can create unlimited profile posts. There is a method canPostOnProfile() but it hasn't been used in code yet.
