Hi, I just found out that also as a regular visitor without WebYep Login you can see contents that normally ist set to "do not represent" in WebYep. Yust append to the URL the following snippet:
WEBYEP_EDIT=yes
Second effect: If in the WY configuration "$ webyep_bShowDisabledEditButtons" is set to "true" the visitor also sees inactive WY editing buttons.
WY version 1.7.2
Can anybody help? I swear I used the forum search feature before this post but found nothing.
Security Bug WEBYEP_EDIT=yes in URL
Re: Security Bug WEBYEP_EDIT=yes in URL
Hi ritasboss
I don't think this is a security bug because you need more than the WEBYEP_EDIT=yes
Its true this will unlock the lock but it wont unlock the actual webyep elements because you need a number after the yes element and that could be anything.
Show disabled edit buttons is for editors that have partial editing access and this is usually set up in the config file. So its a way to show there is more to edit if you had full administration access.
all the best max
I don't think this is a security bug because you need more than the WEBYEP_EDIT=yes
Its true this will unlock the lock but it wont unlock the actual webyep elements because you need a number after the yes element and that could be anything.
Show disabled edit buttons is for editors that have partial editing access and this is usually set up in the config file. So its a way to show there is more to edit if you had full administration access.
all the best max
Re: Security Bug WEBYEP_EDIT=yes in URL
Hi Max,
thank you for your answer. You are absolutely right. Visitors without administration access can't edit content. So it's not really a security bug. But (with or without a number afer the yes element) content which in WY-loop-elements is set to "do not display" is shown. That turned to a really big problem for one of my clients because some content that was just "parked" and planned to be shown on a later date allready is known to public.
I told all my clients to precautionary delete those parts. They are not very happy with this idea
I know the sence of displaying disabled edit-buttons
I already set this feature to "false" in all my clients config files.
Still I'm looking for a solution
thank you for your answer. You are absolutely right. Visitors without administration access can't edit content. So it's not really a security bug. But (with or without a number afer the yes element) content which in WY-loop-elements is set to "do not display" is shown. That turned to a really big problem for one of my clients because some content that was just "parked" and planned to be shown on a later date allready is known to public.
I told all my clients to precautionary delete those parts. They are not very happy with this idea

I know the sence of displaying disabled edit-buttons

Still I'm looking for a solution

Re: Security Bug WEBYEP_EDIT=yes in URL
Ahh I see what you mean
I will have a think about how that could be avoided
kind regards max
I will have a think about how that could be avoided
kind regards max
Re: Security Bug WEBYEP_EDIT=yes in URL
Hi Max,
Thank you very much! I'm very very glad that you are interested in solving this problem.
Thank you very much! I'm very very glad that you are interested in solving this problem.
Re: Security Bug WEBYEP_EDIT=yes in URL
i discovered another effect ...
now the very helpfull funktion "webyep_bIsEditMode()" becomes a chatterbox. It returns TRUE, wenn die above snippet is used ... no matter if the visitor has administration access or not.
I often use this funktion for displaying hints for editors - originally only those with admin access
or to decide where to place a WY-text-element for example used for meta-tags (TRUE > body, FALSE > head)
I'm thinking about changing the use of "if (webyep_bIsEditMode()){ ...} " to the following code in all my client's websites ... arrgh.
now the very helpfull funktion "webyep_bIsEditMode()" becomes a chatterbox. It returns TRUE, wenn die above snippet is used ... no matter if the visitor has administration access or not.
I often use this funktion for displaying hints for editors - originally only those with admin access

I'm thinking about changing the use of "if (webyep_bIsEditMode()){ ...} " to the following code in all my client's websites ... arrgh.
Code: Select all
if(isset($_SESSION['WebYepIsAuthorized']) && $_SESSION['WebYepIsAuthorized'] == 1){ ... }
Re: Security Bug WEBYEP_EDIT=yes in URL
Thanks a lot Johannes Tiefenbrunner! He postet a solution on https://github.com/obdev/WebYep