stian/gallery3
1
0
Fork 0
mirror of https://github.com/Pathduck/gallery3.git synced 2026-05-19 19:09:13 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix for ticket 1010: Don't leak valid user names in "forgot password" form.

Browse Source 
Includes fixes for user forms as well (edit user / email / password).
This commit is contained in:
Andy Staudacher
2010-02-11 13:11:31 -08:00
parent 1ada27916f
commit cd98f85260
2 changed files with 30 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
modules/user/controllers/users.php
View File

@@ -20,7 +20,7 @@
class Users_Controller extends Controller {
public function update($id) {
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -63,7 +63,7 @@ class Users_Controller extends Controller {
public function change_password($id) {
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -99,7 +99,7 @@ class Users_Controller extends Controller {
public function change_email($id) {
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -134,7 +134,7 @@ class Users_Controller extends Controller {
public function form_edit($id) {
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -143,7 +143,7 @@ class Users_Controller extends Controller {
public function form_change_password($id) {
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -152,7 +152,7 @@ class Users_Controller extends Controller {
public function form_change_email($id) {
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}