Fixed security issue in loading the authorization for ViewLists.
- During Find & Replace implementation, the code was changed to load the gene-specific authorization using $_REQUEST rather than $_GET. However, the filtering of the results was still using $_GET. Hence, authorizations can be loaded forging a $_POST request while not necessarily filtering the results using $_GET. - This allowed Curators to craft special requests to load VLs with non-public data of other genes. - Solved this by enforcing filtering when authorizing Curators.
Showing with 13 additions and 3 deletions