APS permissions bug
It's now possible to install the APS package to that website of somebody else because of the bug in the code:
/interface/web/sites/aps_install_package.php
// Get domain list
$domains = array();
$domain_for_user = '';
if(!$adminflag) domain_for_user = "AND (sys_userid = '".
app->db->quote($_SESSION['s']['user']['userid'])."'
OR sys_groupid = '".$app->db->quote($_SESSION['s']['user']['userid'])."' )";
Must be:
// Get domain list
$domains = array();
$domain_for_user = '';
if(!$adminflag) domain_for_user = "AND (sys_userid = '".
app->db->quote($_SESSION['s']['user']['userid'])."'
OR sys_groupid = '".$app->db->quote($_SESSION['s']['user']['default_group'])."' )";