Architecture / Installation

Architecture / Installation

Anonymous can see user informations (solution)

posts: 8320 Israel

I have discovered that anonymous (not connected) users can see users informations.

I don't like it at all like a lot of you guys i guess.

Thanks to Ggeller he give me the right solution.

Edit tiki-user_information.php

After line 14 add

if (!$user) {
$smarty->assign('msg', tra("You must be logged in to use this feature"));

Work perfect !
Anonymous can no more sniff the site !

Note this has been done on :

// $Header: /cvsroot/tikiwiki/tiki/tiki-user_information.php,v 2004/08/23 22:43:25 mose Exp $

Should be added in next release if not already done !


posts: 2881 United Kingdom

Just an update.

Its been done on 1.10 aka CVS HEAD but fully optional so to preserve the environment!

Its based on a new permission, You will need to add the new permission to Anonymous to get the current default settings as on all other releases.

Thanks GGeller! Excellent work


posts: 21 United States

Edited by Tagg to extend fix functionality to include site preference option.

Ditto Yoni's sentiment.

This potential privacy breech still exists as of Tiki 1.9.2
// $Header: /cvsroot/tikiwiki/tiki/tiki-user_information.php,v 2005/06/26 18:51:49 lfagundes Exp $

Unfortunately, I do not "see" an easy way to implement partial access restriction beyond self-viewing. For instance, allowing Group A to view profile information for Group B, but not that of Group C. However, we can:
- readily force Anonymous to log in,
- restrict default logged in visibility to self,
- enable administrative assignment of a Tiki permission for viewing non-self profile information,
- enable administrative selection of site preference option for public or non-public viewing of non-self profile information.

Here is my four step fix:

1. INSERT the new permission and site preference.

INSERT INTO `users_permissions` ( `permName` , `permDesc` , `level` , `type` )
'tiki_p_view_user_info', 'Can view user profile information', 'browse', 'tiki'
INSERT INTO `tiki_preferences` ( `name` , `value` )
'site_view_user_information', 'public'

2. Assign the permission to at least one group.

3a. Copy 'tiki-user_information.php' as 'new--tiki-user_information.php'.

3b. Substitute lines 16 through 27 in 'new--tiki-user_information.php' with the below PHP code.

// Set default page access permission to NO

// Poll site preference for viewing user information
$sz_site_view_pref = $tikilib->get_preference('site_view_user_information',tra('public'));

// Check for self-viewing
if (isset($_REQUEST['view_user']))
{	$userwatch = $_REQUEST['view_user'];
	if (isset($user))
	{	if (0==strcasecmp($user,$userwatch))
		{	$bool_view_okay=TRUE;
}	}	} elseif (isset($user))
{	if ($user)
	{	$userwatch = $user;
}	} else
{	if (0==strcasecmp(tra('public'),$sz_site_view_pref))
	{	$smarty->assign('msg',tra('No user indicated'));
}	}

// Keep checking permissions if site preference is for non-public viewing access
if (0<>strcasecmp(tra('public'),$sz_site_view_pref))
{	// Check page access permissions
	if ('y'==$tiki_p_view)
	{	if (isset($tiki_p_view_user_info))
		{	if ('y'==$tiki_p_view_user_info)
			{	$bool_view_okay=TRUE;
		}	} else
		{	$bool_view_okay=TRUE;
	}	}

	// Deny page access if not okay to view
	if (!$bool_view_okay)
	{	if (isset($user))
		{	$smarty->assign('msg',tra('You may only view your own profile information.'));
		} else
		{// Redirect to log in, if insufficient permissions and not logged in
			$smarty->assign('errortitle',tra("Please login"));
		if (!$bool_view_okay)
		{	$smarty->display('error.tpl');
}	}	}

4. Rename the installed 'tiki-user_information.php' to 'oldtiki-user_information.php', then 'newtiki-user_information.php' to 'tiki-user_information.php'