1
bumpeboy
Why one user can edit another user's profile?
  • 2009/11/26 11:48

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4



When user (John) logs in and goes to Profile » Edit Profile he is given detail of (Peter) to edit. This is a serious blander that has led me to take down my site.

I need someone from the XOOPS to give details and see whats wrong. The site cannot run like this, its a breach of users privacy and a massive mess.

XOOPS Version - XOOPS 2.4.1
PHP Version - 5.2.9
MySQL Version - 5.1.30
Server API Version - cgi-fcgi
OS Version - Linux

Module-Profile

2
deka87
Re: Why one user can edit another user's profile?
  • 2009/11/26 12:33

  • deka87

  • Friend of XOOPS

  • Posts: 1124

  • Since: 2007/10/5


are you sure you set up profile module permissions correct?

3
ghia
Re: Why one user can edit another user's profile?
  • 2009/11/26 12:50

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Probably you have given module admin rights for the profile module to registered users. Module access right will do for anonymous and registered users.

4
bumpeboy
Re: Why one user can edit another user's profile?
  • 2009/11/26 13:16

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4


Quote:

deka87 wrote:
are you sure you set up profile module permissions correct?

There is no such permission. Am sure with the permission its okay.

5
bumpeboy
Re: Why one user can edit another user's profile?
  • 2009/11/26 13:22

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4


Quote:

ghia wrote:
Probably you have given module admin rights for the profile module to registered users. Module access right will do for anonymous and registered users.


I cant make such a mistake, anyway i have doubled checked the admin permission is only on Admin.





6
bumpeboy
Re: Why one user can edit another user's profile?
  • 2009/11/26 13:30

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4


Let me repeat again.

When user (John) logs in and goes to his Profile he see his correct details as below

modules/profile/userinfo.php

Profile » User profile

John john@email.com


But when he clicks edit profile.

Profile » Edit Profile

He gets this

Basic Information

Username
Peter
Email
peter@email.com


So John cant edit his own account but he can edit peters.

I have checked with another user.

Sandra logs in as Sandra goes to edit account and she get

Basic Information

Username
Peter
Email
peter@email.com


Whats with this peters account it appearing on anyone who wants to edit there account.

7
trabis
Re: Why one user can edit another user's profile?
  • 2009/11/26 13:46

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Could it be cache problem? Do you have cache set for profile module?

8
ghia
Re: Why one user can edit another user's profile?
  • 2009/11/26 13:50

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Is there the same mixup when they edit their avatar or going to their Private messages (from within profile view)?

9
bumpeboy
Re: Why one user can edit another user's profile?
  • 2009/11/26 14:12

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4


Quote:

trabis wrote:
Could it be cache problem? Do you have cache set for profile module?


Yes, that was the problem, i have removed the 1 week cache and now it works fine.
Thanks

What can i do to save user login details for easy access eg for a week? I dont want a situation where a user has to type username an password all the time.

10
bumpeboy
Re: Why one user can edit another user's profile?
  • 2009/11/26 18:38

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4


Sorry there, thats not what i ment, I simply forgot the words (my login) and now i see the absence of those two words changed what i ment. Here is what i ment including the missing words.

Quote:
I need someone from the XOOPS to give my login details and see whats wrong. The site cannot run like this, its a breach of users privacy and a massive mess.


Grammar: someone from the XOOPS to give details and see whats wrong. Doesnt make sense.

I was not blaming xoops, i wanted to say that i can only trust someone from XOOPS with my login details.

MY APOLOGIES.

Login

Username:
Password:

Lost Password? Register now!

Who's Online

73 user(s) are online (51 user(s) are browsing Support Forums)


Members: 0


Guests: 73


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits