Access to user profile and user information [Q and A]

Access to user profile and user information

2004/9/4 3:15
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Hi,

Having some concerns about the fact that anyone can do this:

http://example.com/userinfo.php?uid=1

and find out the webmaster username, or do it for any user id, plus the fact that ideally I would like to restrict _all_ access to usernames unless the $xoopsrank was equal, I decided to do a bit of searching on the forums in regards to these matters. The solution to this (for me) has now, in fact, already answered by Dave_L , however as I had done the research here and already collated the various methods to address these issues, I thought it might be helpful to summarise other solutions.

I have given credit to whoever supplied the following, if I have made a mistake somewhere, pls advise.

Preventing anonymous users from viewing profiles

Quote:

From Dave_L

You can prevent anonymous users from viewing profiles with a simple hack to userinfo.php:

include 'mainfile.php'; include_once XOOPS_ROOT_PATH.'/class/module.textsanitizer.php'; $xoopsUser or redirect_header('index.php', 3, _NOPERM); #*#NOVIEW_USER_PROFILE# $uid = intval($_GET['uid']);

Suppress only certain fields in user profile

Quote:

From Dave_L

If you want to suppress only certain fields, you could use the same concept:

if ($xoopsUser) { $xoopsTpl->assign('user_icq', $thisUser->getVar('user_icq')); } else { $xoopsTpl->assign('user_icq', '(not available)'); }

Only allow webmasters to see webmaster profiles

Quote:

From Dave_L

In userinfo.php, after $uid has been defined:

// (not tested) $current_user_is_webmaster = is_object($xoopsUser) && in_array(XOOPS_GROUP_ADMIN, $xoopsUser->getGroups()); $member_handler =& xoops_gethandler('member'); $selected_user_is_webmaster = in_array(XOOPS_GROUP_ADMIN, $member_handler->getGroupsByUser($uid)); $selected_user_is_webmaster and !$current_user_is_webmaster and redirect_header('index.php', 3, _NOPERM);

Prevent access to user pages

From Mithrandir

Quote:

At the top of userinfo.php (after mainfile.php)
if (!$xoopsUser) { redirect_header('index.php', 2, _NOPERM); }

How to hide members email id

From Stewdio

Quote:

Open and edit userinfo.php on line 91

$xoopsTpl->assign('lang_email', _US_EMAIL);

Just comment out the line:

//$xoopsTpl->assign('lang_email', _US_EMAIL);

Deleting fields shown in user profiles

From tl

Quote:

You will have to modify userinfo.php and edituser.php files (maybe other files)

comment out the lines you want rid of, something like the following in edituser.php file

// $edituser->setVar('user_aim', $user_aim); // $edituser->setVar('user_yim', $user_yim); // $edituser->setVar('user_msnm', $user_msnm);

Stop guests from viewing registered user profiles

From ajaxbr

Quote:

Open userinfo.php and find

$xoopsOption['pagetype'] = 'user'; include 'mainfile.php'; include_once XOOPS_ROOT_PATH.'/class/module.textsanitizer.php';

Then add the following (from admin.php) just below it, so that it's between the above and "$uid = intval($HTTP_GET_VARS['uid']);"
Code to add:

include XOOPS_ROOT_PATH."/include/cp_functions.php"; if ( !$xoopsUser ) { redirect_header('index.php',3,_AD_NORIGHT); exit(); }

This hardcodes that only members can view profiles, no matter where people find the users profiles links (well, I might be wrong, I feel so wrong tonite) but I guess it's a little broken because it'll display "_AD_NORIGHT" instead of the language string in the redirect page. But I'm way too tired to try to figure out why.

From Mithrandir

Quote:

You don't need to include cp_functions.php

just the if (!$xoopsUser) clause will do - the language constant can be replaced with _NOPERM

From Dave_L

Quote:

Here's a more concise way of doing it:

$xoopsUser or redirect_header('index.php', 3, _NOPERM);

From ajaxbr

Quote:

Perhaps something like

$uid = uid(); $xoopsrank = rank(uid) if !($xoopsrank == "Webmaster" || $xoopsrank == "Moderator" || $xoopsrank == "Masterator") { redirect_header('index.php',3,_NOPERM); exit(); }

Stopping anonymous visitors viewing user info

From Dave_L

Quote:

Here's my hack for that:

userinfo.php:

include_once XOOPS_ROOT_PATH.'/class/module.textsanitizer.php'; $xoopsUser or redirect_header('index.php', 3, _NOPERM); $uid = intval($HTTP_GET_VARS['uid']);

Blocking access for annoymous users

From Mithrandir

Quote:

at the top of userinfo.php - below the include statements - add this:

if (!$xoopsUser) { redirect_header('index.php', 3, 'You have got to register to access this page'); //Alternatively, use _NOPERM for localised message }

This will block access for non-registered users - but any registered user will be able to see it, independent of group memberships.

Display realname instead of username in new members block

From Dave_L

Quote:

Edit modules/system/blocks/system_blocks.php, and in the function b_system_newmembers_show (line 269 in version 2.0.5.2), change:

$block['users'][$i]['name'] = $newmembers[$i]->getVar('uname');

to:

$block['users'][$i]['name'] = $newmembers[$i]->getVar('name');

Hope that helps someone, it certainly helped solve a few problems for me.

Thanks,

Peter

Re: Access to user profile and user information

2007/6/30 9:47
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Is there going to be (planned ??) any development in this area of displaying user profile information ?

It would be nice to restrict all access to username information (profile info) unless the $xoopsrank was equal, or lower.

That way, the "super" user ('admin'), outranking everyone, could keep a considerable amount of information secure. I'm thinking along the lines of protecting the username of the 'admin' person.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

Re: Access to user profile and user information

2007/6/30 10:22
JCDunnart
Not too shy to talk
Posts: 114
Since: 2006/7/1 5

Here's a simple tip:

Create a new user to be the site admin. Give this user webmaster group permissions, and restrict the group permissions of user #1.

People won't know which user has the extra permissions... a very simple security enhancement

The only thing to look out for is if a module dev has hardcoded the webmaster access to user #1. That's easily tested by keeping webmaster permissions on both user accounts until you are sure everything works with the new one.

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Access to user profile and user information

Re: Access to user profile and user information

Re: Access to user profile and user information

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}