2.40.00 RC1 - Hidden User Fields - [Fix]

Posted: Sat Sep 19, 2009 5:48 pm

There is a bug with public/private custom fields that may allow a registered user see another private fields.

Find line 105 of /modules/Your_Account/public/userinfo.php

Code:




if (is_admin($admin) OR (is_user($user) AND $usrinfo['username'] == $username)) {

Change to:

Code:




if (is_admin($admin) OR (is_user($user) AND $usrinfo['username'] == $userinfo['username'])) {

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Under which conditions was this a problem (i.e. when is $username != $userinfo['username'])?

Posted: Sun Sep 20, 2009 7:46 am

does'nt the YA use define('MY_PROFILE') wont it be easier to change it to

Code:

if (is_admin($admin) OR (defined('MY_PROFILE'))) {

Posted: Sun Sep 20, 2009 9:43 am

kguske wrote:

Under which conditions was this a problem (i.e. when is $username != $userinfo['username'])?

It was not a problem when "!=". It was a problem when "==" when a person is viewing another users profile because $username is the name in the URI and $usrinfo['username'] (not $userinfo['username']) is based on $username.

So insteead of comparing the person your searching for ($username & $usrinfo['username']) with itself you need to compare the perason you are searching for with yourself ( $username & $userinfo['username']) .

@gazj
Yes gazj after making this post and doing a more indepth solution I did change all instances like this to use the constant. I can't remerber the name of the constant. Its not MY_PROFILE. The reason I used the constant is becuase if you don't you have to worry about doing a strtolower() for everything.

Posted: Sun Sep 20, 2009 10:34 am

yeah i know its not MY_PROFILE but i thought you would get what i meant lol i only mentioned it as i remember from when i was looking at the userinfo file when i did something for kguske

i use MY_PROFILE in my YA thats where i got MY_PROFILE from