• Users can remove imported entries from sbbslist

    From Craig Hendricks@1:103/705 to GitLab issue in main/sbbs on Sat Jul 23 08:02:16 2022
    open https://gitlab.synchro.net/main/sbbs/-/issues/425

    I had a new user come by today, browse the sbbslist utility (?sbbslist browse), and was able to remove an imported entry that they did not create.I reviewed the code, and it appears the `can_edit` function is supposed to prevent precisely this type of action, but it doesn't. Are the string returns supposed to be the same as a boolean false return?```function can_edit(bbs){ if(!bbs) return "not an entry"; if(bbs.imported) { return "Cannot edit imported entries"; } if(bbs.entry.created && bbs.entry.created.by && bbs.entry.created.by.toLowerCase() != user.alias.toLowerCase()) { return "Sorry, this entry was created by: " + bbs.entry.created.by; } return true;}```To me it looks like it's always returning true. Could open potential for sbbslist abuse.
    --- SBBSecho 3.15-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)