Menu
▾
▴
#268 Stop guests from viewing profiles
I'd like to request a mod to stop guests from viewing registered user profiles please.
At present, most XOOPS sites have the 'webmaster/admin' as user #1 , and any guest can do this:
http://example.com/userinfo.php?uid=1
and get the username, thereby making it easier to hack into an admin account. Also, if the users email address is to be displayed, then any guest can also view that.
Of course, even if the 'webmaster/admin' is not user #1, guests can still find it, by displaying a number of user id's. All up, not good for website security.
The mod only needs one line added, the file is /userinfo.php
AFTER this line ....
include_once XOOPS_ROOT_PATH.'/class/module.textsanitizer.php';
ADD the following line ........
$xoopsUser or redirect_header('index.php', 3, _NOPERM);
That's it !!
Logged In: YES
user_id=1288992
Originator: YES
Any chance of this one line modification being included in the next release of XOOPS 2.0.x ??
I see it is even in the XOOPS FAQ - http://www.xoops.org/modules/smartfaq/faq.php?faqid=282
Logged In: YES
user_id=1288992
Originator: YES
I have just had a look at the source for XOOPS 2.3.0 Beta, and it seems this (simple/one line) modication still hasn't been addressed.
Can someone PLEASE add the one line ??
Or, possibly the code has been modified (already) by some other method, to stop guests viewing the user profile.
I can remember when version 2.2 came out (I may have the version wrong), and it included 'profiles' , and by default, guests could not view profiles.
Logged In: YES
user_id=1288992
Originator: YES
If XOOPS 2.3 is meant to be the version, that BOTH 2.2.x and 2.0.xx users can upgrade to, then this simple modification, or the "profiles" that version 2.2 had in it, needs to be included.