Author |
Message |
horror-code
New Member
Joined: Apr 29, 2013
Posts: 23
|
Posted:
Sat May 04, 2013 6:25 am |
|
I know I have a way with titles.
I was tired of the simple you must login to use this feature text which then requires a user to navigate manually to the login page so I went ahead and opened up /modules/Your_Account/includes/functions.php and found the notuser function around line 489. I have modified it so it looks like this:
Code:
function notuser() {
include_once 'header.php';
OpenTable();
$forward = str_replace('redirect=', '', $redirect);
if ($redirect != '') {
Header('Location: ' . $redirect);
} else {
Header('Location: account.html');
}
die();
CloseTable();
include_once 'footer.php';
}
?>
|
I can verify it works properly. The question is what is the redirect stuff doing here? Can I get it to listen to the incoming request and then set Your Account to redirect to the originally requested page after logging in?
And is the method I used above secure? |
|
|
|
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania
|
Posted:
Sat May 04, 2013 6:55 am |
|
You only really need this:
Code:
function notuser() {
Header('Location: account.html');
die();
}
?>
|
Now that does account for any kind of redirect. I think redirecting to a certain module or other semi predefined address would be ok, but would be very leery of allowing any redirect with any parameter. What are you looking to do? |
_________________ "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. |
|
|
|
horror-code
|
Posted:
Sat May 04, 2013 7:05 am |
|
It would just be nice if it redirected to the originating page at least. Would that be possible, say if one were trying to change the theme from their account page and somehow got logged out, it would then redirect them to login. After which it would redirect them back to the accounts/theme page?
So basically get the referring url and pass that back?
It doesn't have to pass the original parameters. |
|
|
|
|
nuken
RavenNuke(tm) Development Team
Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina
|
Posted:
Sat May 04, 2013 1:33 pm |
|
I'm not sure if this is what you mean or not, but if you want the user to return to the page they were on after they use the login colorbox, look in modules/Your_Account/index.php and find:
Code:
} elseif ($redirect == '') {
Header('Location: modules.php?name=Your_Account&op=userinfo&bypass=1&username=' . $username);
|
and replace with:
Code:
} elseif ($redirect == '') {
Header('Location: ' . $_SERVER['HTTP_REFERER']);
|
That might do it for you. |
_________________ Tricked Out News |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
Posted:
Thu May 09, 2013 6:23 pm |
|
I would not recommend trusting $_SERVER['HTTP_REFERER']. You would be opening up your users to potentially vicious CSRF or XSS attacks. The Golden Rule of Development: Never trust your input.
Personally, I would make sure and test the content of that referer to make sure it is coming from your domain and the rest of it is "cleansed" to. I just don't think it is worth the trouble unless you know what you're doing and can code that... |
_________________ Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
horror-code
|
Posted:
Fri May 10, 2013 12:04 am |
|
Will the functionality for anonymous users changing themes ever return? I
s there some way to get the actual url that is being passed or does it actually insert something into the db that can't be done with a url?
As that might be a much simpler solution to this specific case, where I might run into other scenarios down the road, I haven't yet. |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
Posted:
Mon May 13, 2013 3:42 pm |
|
horror-code wrote: | Will the functionality for anonymous users changing themes ever return? |
As far as I remember, theme selection has always been part of the users settings, so therefore the user has to be logged in to see it and change it.
However, I believe their is a 'theme preview' block that uses javascript and probably a cookie to switch themes temporarily, so that would work for 'real' users who are anonymous.
I'm not certain is this would get blocked due our recent introduction of a setting to show a specific theme to anonymous users or not because I haven't tried it. |
|
|
|
|
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm
Joined: Aug 13, 2009
Posts: 1123
|
Posted:
Tue May 14, 2013 7:09 am |
|
what do u recommend then montego?
The only way I know it is this one
Code: if (($ya_config['tos'] == 1) AND ($_POST['tos_yes'] == 1)) {
$db->sql_query('UPDATE ' . $user_prefix . '_users SET agreedtos=\'1\' WHERE username=\'' . $setinfo['username'] . '\'');
$forward = str_replace('redirect=', '', $redirect);
if ($redirect != '') {
Header('Location: ' . $redirect);
} else {
Header('Location: index.php');
//Header('Location: modules.php?name=Your_Account&op=userinfo&bypass=1&username=' . $setinfo['username']);
}
die();
}
}
|
|
|
|
|
|
montego
|
Posted:
Wed May 15, 2013 7:22 am |
|
hicuxunicorniobestbuildpc wrote: | what do u recommend then montego? |
Sorry, hicux, I already did (indirectly) here:
Quote: |
I just don't think it is worth the trouble unless you know what you're doing and can code that...
|
And I pointed you to what you would need to code for here:
Quote: |
make sure and test the content of that referer to make sure it is coming from your domain and the rest of it is "cleansed" to
|
I am not going to code it for you... I'm sure you can find many examples of how to parse a URL (there is even several PHP functions to do this and I'm sure even preg_match() examples). The bottom line is you want to essentially "whitelist" what you are looking for, make sure that is what you are getting in the REFERER, and only redirect if its "good". |
|
|
|
|
|