Nearly two hours after site launch my first members found out that you can assign yourself another nickname in the chatbox when just altering the querystring and reloading the page.

Comments

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Status: Active » Closed (fixed)

This is too vague (how do you change the query string?). I can't reproduce this bug.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Version: 4.6.x-1.x-dev » master
Status: Closed (fixed) » Active

Resetting to active. Maybe someone will investigate this in more detail.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented

Nicknames are set by GET and POST requests. I'll take suggestions to change this. Here is the name-setting code:

  if (isset($_GET['nickname']) && $_GET['nickname'] != '') {
    $nickname = $_GET['nickname'];
  }
  elseif (isset($_POST['nickname']) && $_POST['nickname'] != '') {
    $nickname = $_POST['nickname'];
  }
  else {
    srand(time());
    $nickname = $user->uid ? $user->name : t('Guest') . rand(100, 999);
  }
darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented

I modified the code to require users to use either there user name or a system-assigned guest name:

  // figure nickname
  if (isset($_GET['nickname']) && $_GET['nickname'] != '') {
    $nickname = $user->uid ? $user->name : $_GET['nickname'];
  }
  elseif (isset($_POST['nickname']) && $_POST['nickname'] != '') {
    $nickname = $user->uid ? $user->name : $_POST['nickname'];
  }
  else {
    srand(time());
    $nickname = $user->uid ? $user->name : t('Guest') . rand(100, 999);
  }
darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Status: Active » Fixed

Fixed in DRUPAL-4-5, DRUPAL-4-6, DRUPAL-4-7, and HEAD.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)