Loading...
 
Architecture / Installation

Architecture / Installation


Anonymous can see user informations (solution)

posts: 8539 Israel

I have discovered that anonymous (not connected) users can see users informations.

I don't like it at all like a lot of you guys i guess.


Thanks to Ggeller he give me the right solution.

Edit tiki-user_information.php

After line 14 add

if (!$user) {
$smarty->assign('msg', tra("You must be logged in to use this feature"));
$smarty->display("error.tpl");
die;
}

Work perfect !
Anonymous can no more sniff the site !

Note this has been done on :

// $Header: /cvsroot/tikiwiki/tiki/tiki-user_information.php,v 1.19.2.3 2004/08/23 22:43:25 mose Exp $


Should be added in next release if not already done !

Yoni

posts: 2881 United Kingdom

Just an update.

Its been done on 1.10 aka CVS HEAD but fully optional so to preserve the environment!

Its based on a new permission, You will need to add the new permission to Anonymous to get the current default settings as on all other releases.

Thanks GGeller! Excellent work

Damian


posts: 21 United States

Edited by Tagg to extend fix functionality to include site preference option.

Ditto Yoni's sentiment.

This potential privacy breech still exists as of Tiki 1.9.2
// $Header: /cvsroot/tikiwiki/tiki/tiki-user_information.php,v 1.19.2.8 2005/06/26 18:51:49 lfagundes Exp $

Unfortunately, I do not "see" an easy way to implement partial access restriction beyond self-viewing. For instance, allowing Group A to view profile information for Group B, but not that of Group C. However, we can:
- readily force Anonymous to log in,
- restrict default logged in visibility to self,
- enable administrative assignment of a Tiki permission for viewing non-self profile information,
- enable administrative selection of site preference option for public or non-public viewing of non-self profile information.

Here is my four step fix:

1. INSERT the new permission and site preference.

Image
INSERT INTO `users_permissions` ( `permName` , `permDesc` , `level` , `type` ) VALUES ( 'tiki_p_view_user_info', 'Can view user profile information', 'browse', 'tiki' ); INSERT INTO `tiki_preferences` ( `name` , `value` ) VALUES ( 'site_view_user_information', 'public' );

2. Assign the permission to at least one group.

3a. Copy 'tiki-user_information.php' as 'new--tiki-user_information.php'.

3b. Substitute lines 16 through 27 in 'new--tiki-user_information.php' with the below PHP code.

Image
// Set default page access permission to NO $bool_view_okay=FALSE; // Poll site preference for viewing user information $sz_site_view_pref = $tikilib->get_preference('site_view_user_information',tra('public')); // Check for self-viewing if (isset($_REQUEST['view_user'])) { $userwatch = $_REQUEST['view_user']; if (isset($user)) { if (0==strcasecmp($user,$userwatch)) { $bool_view_okay=TRUE; } } } elseif (isset($user)) { if ($user) { $userwatch = $user; $bool_view_okay=TRUE; } } else { if (0==strcasecmp(tra('public'),$sz_site_view_pref)) { $smarty->assign('msg',tra('No user indicated')); $smarty->display('error.tpl'); die; } } // Keep checking permissions if site preference is for non-public viewing access if (0<>strcasecmp(tra('public'),$sz_site_view_pref)) { // Check page access permissions if ('y'==$tiki_p_view) { if (isset($tiki_p_view_user_info)) { if ('y'==$tiki_p_view_user_info) { $bool_view_okay=TRUE; } } else { $bool_view_okay=TRUE; } } // Deny page access if not okay to view if (!$bool_view_okay) { if (isset($user)) { $smarty->assign('msg',tra('You may only view your own profile information.')); } else {// Redirect to log in, if insufficient permissions and not logged in $smarty->assign('msg',$smarty->fetch('modules/mod-login_box.tpl')); $smarty->assign('errortitle',tra("Please login")); } if (!$bool_view_okay) { $smarty->display('error.tpl'); die; } } }

4. Rename the installed 'tiki-user_information.php' to 'oldtiki-user_information.php', then 'newtiki-user_information.php' to 'tiki-user_information.php'

-Tagg


posts: 23 Germany

Why is there still no setting or permission for changing this behavior in v23?
Possibly it is needed to have a "closed" community and showing user information for public should be prevented...

posts: 1584 Canada
SiL3NC3 wrote:
Why is there still no setting or permission for changing this behavior in v23?


Somebody needs to code it and contribute it. The current feature lacks granularity, and the info is either public or private.

Can you help code this?

Thanks!