The issue: An user with course creator access, can create content libraries for any existing or new org id, by manipulating the html/JS code in their browser. There are no checks in the backend to prevent this.
How to replicate:
- Log into Studio using a account with Course creator access only (Should not have staff or admin access)
- Click on New Library button
- Check the orgs listed in the dropdown
- Edit the HTML in the browser, to add an option in the dropdown for an org id not listed already
- Select the newly added org id from the dropdown
- Add any library name and library code.
- Click on Create
- Verify new library created in unauthorized org
Code responsible: This code is supposed to check if the user has sufficient privileges to create a library in the org. But it returns True as long as the user has course creator access, irrespective of the user's access to the org.
kaustavb12 Reporter
The issue: An user with course creator access, can create content libraries for any existing or new org id, by manipulating the html/JS code in their browser. There are no checks in the backend to prevent this.
How to replicate:
Code responsible: This code is supposed to check if the user has sufficient privileges to create a library in the org. But it returns True as long as the user has course creator access, irrespective of the user's access to the org.