Alec Smecher Review 2018-12-19:

This note [1] doesn't seem right to me -- maybe test again?
e.g. here [2], we try to avoid manual concatenation of URLs -- it won't work when the path_info_disabled setting is turned on.
Several of the entity fetches (e.g. getting objects/settings from the database using the DAOs) take the IDs from the request without checking that they're appropriate. This may be accidentally opening the system to e.g. exposing unintended data. I haven't reviewed this in detail, though.

[1]

ojs-fiduswriter/FidusWriterPlugin.inc.php

Line 22 in 69eea07

/* Note: it looks counterintuitive that only the first listener checks

[2]

ojs-fiduswriter/FidusWriterPlugin.inc.php

Line 244 in 69eea07

    
                                           href="' . $this->getGatewayPluginUrl() . '/documentReview?submissionId=' . $submissionId . '&stageId=' . $stageId . '&version=' . $versionString . '"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TODO.md

TODO.md

Files

TODO.md

Latest commit

History

TODO.md

File metadata and controls