xoops forums

bumpeboy

Friend of XOOPS
Posted on: 2009/11/26 11:48
bumpeboy
bumpeboy (Show more)
Friend of XOOPS
Posts: 170
Since: 2008/10/4
#1

Why one user can edit another user's profile?


When user (John) logs in and goes to Profile » Edit Profile he is given detail of (Peter) to edit. This is a serious blander that has led me to take down my site.

I need someone from the XOOPS to give details and see whats wrong. The site cannot run like this, its a breach of users privacy and a massive mess.

XOOPS Version - XOOPS 2.4.1
PHP Version - 5.2.9
MySQL Version - 5.1.30
Server API Version - cgi-fcgi
OS Version - Linux

Module-Profile

deka87

Friend of XOOPS
Posted on: 2009/11/26 12:33
deka87
deka87 (Show more)
Friend of XOOPS
Posts: 1124
Since: 2007/10/5
#2

Re: Why one user can edit another user's profile?

are you sure you set up profile module permissions correct?

ghia

Community Support Member
Posted on: 2009/11/26 12:50
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#3

Re: Why one user can edit another user's profile?

Probably you have given module admin rights for the profile module to registered users. Module access right will do for anonymous and registered users.

bumpeboy

Friend of XOOPS
Posted on: 2009/11/26 13:16
bumpeboy
bumpeboy (Show more)
Friend of XOOPS
Posts: 170
Since: 2008/10/4
#4

Re: Why one user can edit another user's profile?

Quote:

deka87 wrote:
are you sure you set up profile module permissions correct?

There is no such permission. Am sure with the permission its okay.

bumpeboy

Friend of XOOPS
Posted on: 2009/11/26 13:22
bumpeboy
bumpeboy (Show more)
Friend of XOOPS
Posts: 170
Since: 2008/10/4
#5

Re: Why one user can edit another user's profile?

Quote:

ghia wrote:
Probably you have given module admin rights for the profile module to registered users. Module access right will do for anonymous and registered users.


I cant make such a mistake, anyway i have doubled checked the admin permission is only on Admin.




bumpeboy

Friend of XOOPS
Posted on: 2009/11/26 13:30
bumpeboy
bumpeboy (Show more)
Friend of XOOPS
Posts: 170
Since: 2008/10/4
#6

Re: Why one user can edit another user's profile?

Let me repeat again.

When user (John) logs in and goes to his Profile he see his correct details as below

modules/profile/userinfo.php

Profile » User profile

John john@email.com


But when he clicks edit profile.

Profile » Edit Profile

He gets this

Basic Information

Username
Peter
Email
peter@email.com


So John cant edit his own account but he can edit peters.

I have checked with another user.

Sandra logs in as Sandra goes to edit account and she get

Basic Information

Username
Peter
Email
peter@email.com


Whats with this peters account it appearing on anyone who wants to edit there account.

trabis

Core Developer
Posted on: 2009/11/26 13:46
trabis
trabis (Show more)
Core Developer
Posts: 2268
Since: 2006/9/1 1
#7

Re: Why one user can edit another user's profile?

Could it be cache problem? Do you have cache set for profile module?

ghia

Community Support Member
Posted on: 2009/11/26 13:50
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#8

Re: Why one user can edit another user's profile?

Is there the same mixup when they edit their avatar or going to their Private messages (from within profile view)?

bumpeboy

Friend of XOOPS
Posted on: 2009/11/26 14:12
bumpeboy
bumpeboy (Show more)
Friend of XOOPS
Posts: 170
Since: 2008/10/4
#9

Re: Why one user can edit another user's profile?

Quote:

trabis wrote:
Could it be cache problem? Do you have cache set for profile module?


Yes, that was the problem, i have removed the 1 week cache and now it works fine.
Thanks

What can i do to save user login details for easy access eg for a week? I dont want a situation where a user has to type username an password all the time.

bumpeboy

Friend of XOOPS
Posted on: 2009/11/26 18:38
bumpeboy
bumpeboy (Show more)
Friend of XOOPS
Posts: 170
Since: 2008/10/4
#10

Re: Why one user can edit another user's profile?

Sorry there, thats not what i ment, I simply forgot the words (my login) and now i see the absence of those two words changed what i ment. Here is what i ment including the missing words.

Quote:
I need someone from the XOOPS to give my login details and see whats wrong. The site cannot run like this, its a breach of users privacy and a massive mess.


Grammar: someone from the XOOPS to give details and see whats wrong. Doesnt make sense.

I was not blaming xoops, i wanted to say that i can only trust someone from XOOPS with my login details.

MY APOLOGIES.