open
https://gitlab.synchro.net/main/sbbs/-/issues/425
I had a new user come by today, browse the sbbslist utility (?sbbslist browse), and was able to remove an imported entry that they did not create.
I reviewed the code, and it appears the `can_edit` function is supposed to prevent precisely this type of action, but it doesn't. Are the string returns supposed to be the same as a boolean false return?
```
function can_edit(bbs)
{
if(!bbs)
return "not an entry";
if(bbs.imported) {
return "Cannot edit imported entries";
}
if(bbs.entry.created
&& bbs.entry.created.by
&& bbs.entry.created.by.toLowerCase() != user.alias.toLowerCase()) {
return "Sorry, this entry was created by: " + bbs.entry.created.by;
}
return true;
}
```
To me it looks like it's always returning true. Could open potential for sbbslist abuse.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net