| Author |
Message |
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1242
|
 Posted:
Thu Aug 19, 2010 9:07 am |
|
I think I did this once before on the other server, but nonetheless I need to be able to disable anonymous users from being able to email content entries to friends, etc. Only reg'd users to have the ability or disable it altogether.
Jon?
Cheers |
| |
|
|
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania
|
| Posted:
Thu Aug 19, 2010 10:18 am |
|
You need to find the appropriate section of code and wrap it in Code: if (is_user($user))) {
}
|
|
_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. |
|
|
|
|
dad7732
|
| Posted:
Thu Aug 19, 2010 10:54 am |
|
Ok, I have three lines referring to mailing to "friend":
Code:case 'share_page': include('modules/'.$module_name.'/var/friend.php'); break;
|
The other two lines just echo an output to screen.
Wrap just this line above, like?:
Code:
if (is_user($user))) {
case 'share_page': include('modules/'.$module_name.'/var/friend.php'); break;
}
|
What about just commenting out the line instead?
Thanks |
| |
|
|
|
|
dad7732
|
| Posted:
Thu Aug 19, 2010 10:58 am |
|
Commenting out the line works, when clicking on the envelope to mail to a friend, it just brings back the content index page. But I don't know if this is the RIGHT way to do it, re:, ill effects?? Don't see any .. yet.  |
| |
|
|
|
|
Palbin
|
| Posted:
Thu Aug 19, 2010 11:05 am |
|
Try this.
Code:
case 'share_page':
if (is_user($user))) {
include('modules/' . $module_name . '/var/friend.php');
} else {
header('Location: ../../modules.php?name=' . $module_name);
die();
}
break;
|
I would still wrap the echo statements in:
Code:
if (is_user($user))) {
}
|
|
| |
|
|
|
|
jestrella
Moderator
Joined: Dec 01, 2005
Posts: 593
Location: Santiago, Dominican Republic
|
| Posted:
Thu Aug 19, 2010 10:04 pm |
|
Will work the way you proposed! But links will still be shown to anonymous users.
BTW it sure need to be a registered only function, So I'll address this for next release... |
_________________
"For those whom have not reach the sky... Every mountain seems high"
Best Regards
Jonathan Estrella
http://about.me/jestrella04 |
|
|
|
dad7732
|
| Posted:
Fri Aug 20, 2010 6:09 am |
|
| jestrella wrote: | Will work the way you proposed! But links will still be shown to anonymous users.
BTW it sure need to be a registered only function, So I'll address this for next release... |
I made it so that te envelope icon doesn't show and therefore neither does the link .. 
Cheers |
| |
|
|
|
|
jestrella
|
| Posted:
Fri Aug 20, 2010 7:57 am |
|
Great, anyways I'll be working on this for next release... |
| |
|
|
|
|
dad7732
|
| Posted:
Fri Aug 20, 2010 8:42 am |
|
Thanks for your attention. I can fix problems with bandaids, just can't do it programmatically. 
Cheers |
| |
|
|
|
|
dad7732
|
| Posted:
Thu Oct 28, 2010 11:28 am |
|
Somehow or another, the problem returned, I think by re-uploading the distro when I changed servers. Ok tho, I disabled the "friend email" for the time being until a future release.
Cheers |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sat Oct 30, 2010 9:42 am |
|
Guys, it is one thing to not show a link and an entirely different thing if you also do not disable that function altogether. Once the "attack vector" is known, ie., the op=FriendSend, you have to disable that function altogether. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
dad7732
|
| Posted:
Sat Oct 30, 2010 9:50 am |
|
Very true, but mine is "disabled", url does not work, just brings up the Content again.
Cheers |
| |
|
|
|
|
montego
|
| Posted:
Sat Oct 30, 2010 10:08 am |
|
Sorry, meant op=SendPage. Just remember that the attacker doesn't have to link into the FriendSend page to do this. I can create a form on my own site with a post to the SendPage op with all the fields filled in (or just send the post from a program). You really need to disable to SendPage function for anonymous if you really want to stop this. |
| |
|
|
|
|
dad7732
|
| Posted:
Sat Oct 30, 2010 10:54 am |
|
That doesn't work either but I don't remember disabling it anywhere. |
| |
|
|
|
|
montego
|
| Posted:
Sat Oct 30, 2010 11:11 am |
|
dad7732, if you want me to try, PM me your site link. |
| |
|
|
|
|
dad7732
|
| Posted:
Sat Oct 30, 2010 11:16 am |
|
Better yet, PM me the URL to try. |
| |
|
|
|
|
montego
|
| Posted:
Sat Oct 30, 2010 5:31 pm |
|
dad7732, I can't just give you a link because that would be a GET request and the code is looking for a POST. You may want to try to see if you can get to the content page using:
http://yourdomain.tld/modules.php?name=Content&pa=share_page&op=FriendSend&pid=1 (change the content id to whatever you have that is available)
Beyond this, I do not want to disclose any more than this. The rest of what we do should be via PM or just send me an email (since my email address hasn't changed since being on the RN Team ) and we can work through this off-line. |
| |
|
|
|
|
montego
|
| Posted:
Sun Oct 31, 2010 8:51 am |
|
| jestrella wrote: | | BTW it sure need to be a registered only function, So I'll address this for next release... |
Any way you can maybe make that configurable? News and some blog sites allow you to "share article" type capability and these are anonymous. Someone might still want this capability. However, if I allow anonymous on my site, I would want the RN captcha protecting the final send of that form (again configurable in rnconfig.php with the other module-level captcha settings). |
| |
|
|
|
|
dad7732
|
| Posted:
Sun Oct 31, 2010 9:46 am |
|
It works on a site where friend is not disabled but does not work on one that is.
Cheers |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
