MokoConsulting/MokoJoomCross
1
0
Fork 0
Code Issues 105 Pull Requests Releases 1 Wiki Activity

Security: No ACL/CSRF check on CSV export #104

New Issue
Open
opened 2026-05-29 05:30:34 +00:00 by jmiller · 1 comment
jmiller commented 2026-05-29 05:30:34 +00:00
Owner
Copy Link
Copy Source

Audit Finding L-4

Severity: Low

Issue:
PostsController::exportCsv() has no $this->checkToken() and no authorise() check. Any authenticated backend user who can access the component can export all posts.

Fix: Add $this->checkToken('get') and ACL check.

Files: PostsController.php

Label: priority: low, type: security

## Audit Finding L-4 **Severity:** Low **Issue:** `PostsController::exportCsv()` has no `$this->checkToken()` and no `authorise()` check. Any authenticated backend user who can access the component can export all posts. **Fix:** Add `$this->checkToken('get')` and ACL check. **Files:** `PostsController.php` **Label:** `priority: low`, `type: security`
jmiller commented 2026-05-29 05:30:37 +00:00
Author
Owner
Copy Link
Copy Source

Branch created: feature/104-security-no-acl-csrf-check-on-csv-export

git fetch origin
git checkout feature/104-security-no-acl-csrf-check-on-csv-export
Branch created: [`feature/104-security-no-acl-csrf-check-on-csv-export`](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/src/branch/feature/104-security-no-acl-csrf-check-on-csv-export) ```bash git fetch origin git checkout feature/104-security-no-acl-csrf-check-on-csv-export ```
Sign in to join this conversation.
Labels
Clear labels
pending: testing
Implemented, awaiting testing
bug
Something is not working
 chore
Maintenance and housekeeping
 documentation
Documentation improvements
 enhancement
Improvement to existing functionality
 feature
New feature or request
 pending: dependency
Blocked by another issue or external dependency
 pending: deployment
Tested and approved, awaiting deployment to production
 pending: design
Needs UI/UX or architecture design before implementation
 pending: documentation
Feature works, needs documentation/wiki update
 pending: feedback
Awaiting feedback or decision from stakeholder
 pending: review
Implementation complete, awaiting code review
 pending: testing
Feature implemented but not yet tested
 priority: critical
Must fix immediately
 priority: high
Should fix soon
 priority: low
Nice to have
 priority: medium
Fix when convenient
 refactor
Code restructuring without behavior change
 roadmap
Planned feature or enhancement tracked on the roadmap
 scope: client
Client-specific work
 scope: dolibarr
Dolibarr modules and customizations
 scope: infrastructure
Server, CI, backups, monitoring
 scope: joomla
Joomla templates and extensions
 scope: waas
MokoWaaS platform
 security
Security vulnerability or hardening
 status: blocked
Waiting on external dependency
 status: duplicate
Duplicate of another issue
 status: in-progress
Being worked on
 status: needs-review
Ready for review
 status: wontfix
Will not be addressed
No labels
Type Security
Status
Priority High
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoJoomCross#104
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?