1
peterr
Access to user profile and user information
  • 2004/9/4 3:15

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Hi,

Having some concerns about the fact that anyone can do this:

http://example.com/userinfo.php?uid=1

and find out the webmaster username, or do it for any user id, plus the fact that ideally I would like to restrict _all_ access to usernames unless the $xoopsrank was equal, I decided to do a bit of searching on the forums in regards to these matters. The solution to this (for me) has now, in fact, already answered by Dave_L , however as I had done the research here and already collated the various methods to address these issues, I thought it might be helpful to summarise other solutions.

I have given credit to whoever supplied the following, if I have made a mistake somewhere, pls advise.

Preventing anonymous users from viewing profiles

Quote:
From Dave_L

You can prevent anonymous users from viewing profiles with a simple hack to userinfo.php:

include 'mainfile.php';
include_once 
XOOPS_ROOT_PATH.'/class/module.textsanitizer.php';

$xoopsUser or redirect_header('index.php'3_NOPERM); #*#NOVIEW_USER_PROFILE#

$uid intval($_GET['uid']);


Suppress only certain fields in user profile

Quote:
From Dave_L

If you want to suppress only certain fields, you could use the same concept:

if ($xoopsUser) {
   
$xoopsTpl->assign('user_icq'$thisUser->getVar('user_icq'));
} else {
   
$xoopsTpl->assign('user_icq''(not available)');
}


Only allow webmasters to see webmaster profiles

Quote:
From Dave_L

In userinfo.php, after $uid has been defined:

// (not tested)
$current_user_is_webmaster is_object($xoopsUser) && in_array(XOOPS_GROUP_ADMIN$xoopsUser->getGroups());

$member_handler =& xoops_gethandler('member');
$selected_user_is_webmaster in_array(XOOPS_GROUP_ADMIN$member_handler->getGroupsByUser($uid));

$selected_user_is_webmaster and !$current_user_is_webmaster and redirect_header('index.php'3_NOPERM);


Prevent access to user pages

From Mithrandir

Quote:

At the top of userinfo.php (after mainfile.php)
if (!$xoopsUser) {
    
redirect_header('index.php'2_NOPERM);
}


How to hide members email id

From Stewdio

Quote:

Open and edit userinfo.php on line 91

$xoopsTpl->assign('lang_email', _US_EMAIL);

Just comment out the line:

//$xoopsTpl->assign('lang_email', _US_EMAIL);


Deleting fields shown in user profiles

From tl

Quote:
You will have to modify userinfo.php and edituser.php files (maybe other files)

comment out the lines you want rid of, something like the following in edituser.php file

//        $edituser->setVar('user_aim', $user_aim);
//        $edituser->setVar('user_yim', $user_yim);
//        $edituser->setVar('user_msnm', $user_msnm);


Stop guests from viewing registered user profiles

From ajaxbr

Quote:
Open userinfo.php and find

$xoopsOption['pagetype'] = 'user';
include 
'mainfile.php';
include_once 
XOOPS_ROOT_PATH.'/class/module.textsanitizer.php';


Then add the following (from admin.php) just below it, so that it's between the above and "$uid = intval($HTTP_GET_VARS['uid']);"
Code to add:

include XOOPS_ROOT_PATH."/include/cp_functions.php";
if ( !
$xoopsUser ) {
    
redirect_header('index.php',3,_AD_NORIGHT);
    exit();
}


This hardcodes that only members can view profiles, no matter where people find the users profiles links (well, I might be wrong, I feel so wrong tonite) but I guess it's a little broken because it'll display "_AD_NORIGHT" instead of the language string in the redirect page. But I'm way too tired to try to figure out why.


From Mithrandir

Quote:
You don't need to include cp_functions.php

just the if (!$xoopsUser) clause will do - the language constant can be replaced with _NOPERM


From Dave_L

Quote:
Here's a more concise way of doing it:

$xoopsUser or redirect_header('index.php'3_NOPERM);



From ajaxbr

Quote:
Perhaps something like

$uid uid();
$xoopsrank rank(uid)
if !(
$xoopsrank == "Webmaster" || $xoopsrank == "Moderator" || $xoopsrank == "Masterator") {
    
redirect_header('index.php',3,_NOPERM);
    exit();
}



Stopping anonymous visitors viewing user info

From Dave_L

Quote:
Here's my hack for that:

userinfo.php:

include_once XOOPS_ROOT_PATH.'/class/module.textsanitizer.php';

$xoopsUser or redirect_header('index.php'3_NOPERM);

$uid intval($HTTP_GET_VARS['uid']);



Blocking access for annoymous users

From Mithrandir

Quote:
at the top of userinfo.php - below the include statements - add this:

if (!$xoopsUser) {
    
redirect_header('index.php'3'You have got to register to access this page'); //Alternatively, use _NOPERM for localised message
}



This will block access for non-registered users - but any registered user will be able to see it, independent of group memberships.



Display realname instead of username in new members block

From Dave_L

Quote:
Edit modules/system/blocks/system_blocks.php, and in the function b_system_newmembers_show (line 269 in version 2.0.5.2), change:

$block['users'][$i]['name'] = $newmembers[$i]->getVar('uname');

to:

$block['users'][$i]['name'] = $newmembers[$i]->getVar('name');


Hope that helps someone, it certainly helped solve a few problems for me.

Thanks,

Peter




2
peterr
Re: Access to user profile and user information
  • 2007/6/30 9:47

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Is there going to be (planned ??) any development in this area of displaying user profile information ?

It would be nice to restrict all access to username information (profile info) unless the $xoopsrank was equal, or lower.

That way, the "super" user ('admin'), outranking everyone, could keep a considerable amount of information secure. I'm thinking along the lines of protecting the username of the 'admin' person.
NO to the Microsoft Office format as an ISO standard.
Sign the petition

3
JCDunnart
Re: Access to user profile and user information
  • 2007/6/30 10:22

  • JCDunnart

  • Not too shy to talk

  • Posts: 114

  • Since: 2006/7/1 5


Here's a simple tip:

Create a new user to be the site admin. Give this user webmaster group permissions, and restrict the group permissions of user #1.

People won't know which user has the extra permissions... a very simple security enhancement

The only thing to look out for is if a module dev has hardcoded the webmaster access to user #1. That's easily tested by keeping webmaster permissions on both user accounts until you are sure everything works with the new one.

Login

Who's Online

253 user(s) are online (179 user(s) are browsing Support Forums)


Members: 0


Guests: 253


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits