1
jilong
userinfo.php not secure
  • 2007/5/8 10:01

  • jilong

  • Just popping in

  • Posts: 61

  • Since: 2007/1/10


I not sure this is a bug or not.
I found that there is easy to view ALL the userinfo by just change the uid.

example: userinfo.php?uid=6

I would like my member info abit secure and not so easy to explore by any one.

Can the system check only allow the account user or admin level can access to the userinfo?

2
sato-san
Re: userinfo.php not secure
  • 2007/5/8 10:50

  • sato-san

  • Quite a regular

  • Posts: 224

  • Since: 2005/7/1 1


Add the following line to prevent Anonymous users from viewing user profiles:
Quote:

$xoopsUser or redirect_header('index.php', 3, _NOPERM);



Example:
Quote:

<?php
// $Id: userinfo.php 772 2006-10-17 01:41:32Z skalpa $
// ------------------------------------------------------------------------ //
// XOOPS - PHP Content Management System //
// Copyright (c) 2000 XOOPS.org //
// <https://xoops.org/> //
// ------------------------------------------------------------------------ //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// You may not change or alter any portion of this comment or credits //
// of supporting developers from this source code or any supporting //
// source code which is considered copyrighted (c) material of the //
// original comment or credit authors. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details. //
// //
// You should have received a copy of the GNU General Public License //
// along with this program; if not, write to the Free Software //
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA //
// ------------------------------------------------------------------------ //

$xoopsOption['pagetype'] = 'user';
include 'mainfile.php';
include_once XOOPS_ROOT_PATH.'/class/module.textsanitizer.php';
// Added following line to keep non-registered users from viewing profiles. //
$xoopsUser or redirect_header('index.php', 3, _NOPERM);
// End modified file //
include_once XOOPS_ROOT_PATH . '/modules/system/constants.php';

3
talunceford
Re: userinfo.php not secure

You can also accomplish what you need by editing the userinfo.html template. By default the userinfo page is supposed to be viewable by anon users, the one thing that is NOT viewable is a persons email address. For example, my bf2 site has a public profile page for all the members, but this is on purpose, because you can view each persons stats that way and not be a member of the site. Now, if a person wants stats of their own, they have to register. By registering, it opens up quite a few different options that are only available only to registered users.

Its not a bug, persay, but you can either make it so anons do not have any access to the page, or you can limit what they can see by simply editing the userinfo template. Remember to clone the default template.

Here is a screenshot of the userinfo page on my site.

Resized Image
Tim
www.tswn.com | www.bf2online.com | aquaria.tswn.com | www.bf2142online.org

4
jilong
Re: userinfo.php not secure
  • 2007/5/10 2:07

  • jilong

  • Just popping in

  • Posts: 61

  • Since: 2007/1/10


Quote:

sato-san wrote:
Add the following line to prevent Anonymous users from viewing user profiles:
$xoopsUser or redirect_header('index.php', 3, _NOPERM);


I found this code can prevent Anonymous users from viewing user profiles, but i would like to keep all userprofile as private event to other registed user. still thank for your help

Quote:

talunceford wrote:
You can also accomplish what you need by editing the userinfo.html template. By default the userinfo page is supposed to be viewable by anon users, the one thing that is NOT viewable is a persons email address.


Thank for your ideal. I would like my site profile only view by the own user, so i add this code to my userinfo.html for only own user and admin allow to view:

<{if $user_ownpage == true || $xoops_isadmin != false }>
.
.
profile table
.
.
<{/if}>


also i add this code to alert Anonymous and non own user:

<{if $user_ownpage != true}>
<
center><h3>Please login to view the profile</h3></center>
<{/if}>


Now there have new problem for me again. i will assign a modarator to manage all memberd list, and the "modarator" group was created, how can i add this group to have right to view the profile?

5
Dave_L
Re: userinfo.php not secure
  • 2007/5/10 10:20

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


If you want to, you could simplify those if-clauses:

<{if $user_ownpage || $xoops_isadmin}>
.
.
profile table
.
.
<{/if}>


<{if !$user_ownpage}>
<
center><h3>Please login to view the profile</h3></center>
<{/if}>

6
jilong
Re: userinfo.php not secure
  • 2007/5/16 0:57

  • jilong

  • Just popping in

  • Posts: 61

  • Since: 2007/1/10


Thank Dave_L, it just suite what i want.

7
limecity
Re: userinfo.php not secure
  • 2008/5/24 12:29

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


this works with XOOPS 2.0.18.1 ! thanks !
http://www.mounthiking.com
all your hiking gears and gadgets


8
Anonymous
Re: userinfo.php not secure
  • 2008/5/24 12:43

  • Anonymous

  • Posts: 0

  • Since:


Quote:
limecity wrote:

does with work with XOOPS 2.0.18.1 ?


I can't see why not; try it and tell us

9
limecity
Re: userinfo.php not secure
  • 2008/5/24 12:48

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


just verified it. it works well.
thanks again
http://www.mounthiking.com
all your hiking gears and gadgets


Login

Who's Online

171 user(s) are online (101 user(s) are browsing Support Forums)


Members: 0


Guests: 171


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits