Setting the useradd action's access to admin instead of public.

author: Brett Profitt <brett.profitt@gmail.com> 2012-05-14 11:59:23 -0700
committer: Brett Profitt <brett.profitt@gmail.com> 2012-05-14 11:59:23 -0700
commit: 70e5ffe5f887679b10b6c6ac8a14b1f128efbb52 (patch)
tree: d870b5f0d7eab36b0d8ce4ed0441a3b6b1002aa4
parent: f8d77796af608dd8b4eff0a19129edf544f73396 (diff)
download: elgg-70e5ffe5f887679b10b6c6ac8a14b1f128efbb52.tar.gz
elgg-70e5ffe5f887679b10b6c6ac8a14b1f128efbb52.tar.bz2
2 files changed, 2 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index a7e14331d..f5cacac29 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -7,6 +7,7 @@ Version 1.8.5
 
  Security Enhancements:
   * Fixed possible XSS vulnerability if using a crafted URL.
+  * Fixed exploit to bypass new user validation if using a crafted form.
 
  Bugfixes:
    * Twitter API: New users are forwarded to the correct page after creating 
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 6a881777e..e209f2c38 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1551,7 +1551,7 @@ function users_init() {
 	elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu');
 
 	elgg_register_action('register', '', 'public');
-	elgg_register_action('useradd', '', 'public');
+	elgg_register_action('useradd', '', 'admin');
 	elgg_register_action('friends/add');
 	elgg_register_action('friends/remove');
 	elgg_register_action('avatar/upload');
author	Brett Profitt <brett.profitt@gmail.com>	2012-05-14 11:59:23 -0700
committer	Brett Profitt <brett.profitt@gmail.com>	2012-05-14 11:59:23 -0700
commit	70e5ffe5f887679b10b6c6ac8a14b1f128efbb52 (patch)
tree	d870b5f0d7eab36b0d8ce4ed0441a3b6b1002aa4
parent	f8d77796af608dd8b4eff0a19129edf544f73396 (diff)
download	elgg-70e5ffe5f887679b10b6c6ac8a14b1f128efbb52.tar.gz elgg-70e5ffe5f887679b10b6c6ac8a14b1f128efbb52.tar.bz2