After sending a private message an anonymous user is presented with the option to create a folder. After creating a folder they ca ten view folders and see all sent messages from all anonymous users.

Wow, this is not good!

Comments

dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
CreditAttribution: dalin commented
Status: Active » Needs review

I've modified privatemsg_page() to check if the user is logged in for all operations except 'msgto' and 'send'.

This should definately be reviewed and commited. 

function privatemsg_page() {
  global $user;

  $breadcrumb = NULL;
  $op = $_POST["op"];
  $edit = $_POST["edit"];
  $recipient = $_POST["recipient"];
  $msg = $_POST["msg"];

  if (empty($op)) {
    $op = arg(1);
  }
  $arg = arg(2);

  switch ($op) {
    case 'list':
      if ($user->uid>0) {
        $output = _privatemsg_list($arg);
        $title = t('Private messages');
      }
      break;
    case 'view':
      if ($user->uid>0) {
        $output = _privatemsg_view($arg);
        $title = t("Read message");
        $breadcrumb = array(l(t('Home'), ''), l(t('private messages'), 'privatemsg'));
      }
      break;
    case t('Write a new message'):
      $arg = "";
    case 'form':
    case 'reply':
      if ($user->uid>0) {
        $output = _privatemsg_form($arg);
        $title = t("Write a new message");
        $breadcrumb = array(l(t('Home'), ''), l(t('private messages'), 'privatemsg'));
      }
      break;
    case 'msgto':
      $msg->recipient = db_result(db_query("SELECT name FROM {users} WHERE uid = '%d'", $arg));
      $output = _privatemsg_form($msg);
      $title = t("Write a new message");
      $breadcrumb = array(l(t('Home'), ''), l(t('private messages'), 'privatemsg'));
      break;
    case 'send':
    case t('Send private message'):
      if (!$edit["recipient"]) {
        $edit["recipient"] = $recipient;
      }
      $breadcrumb = array(l(t('Home'), ''), l(t('private messages'), 'privatemsg'));
      $output = _privatemsg_edit($edit);
      break;
    case t('Move to folder'):
      if ($user->uid>0) {
        if ($edit["folder"] == 0 || db_result(db_query("SELECT fid FROM {privatemsg_folder} WHERE fid = '%d' AND uid = '%d'", $edit["folder"], $user->uid))) {
          // this folder belongs to him
          if ($msg) {
            foreach ($msg as $mid) {
              _privatemsg_move($mid, $edit["folder"]);
            }
            $output = _privatemsg_list($edit["folder"]);
            break;
          }
        }
        $output = _privatemsg_list();
      }
      break;
    case t('Delete messages'):
      if ($user->uid>0) {
        if ($msg) {
          foreach ($msg as $id) {
            _privatemsg_delete($id);
          }
        }
        $output = _privatemsg_list();
      }
      break;

    case 'delete':
      if ($user->uid>0) {
        _privatemsg_delete($arg);
        $output = _privatemsg_list();
      }
      break;

    case t('New folder'):
    case t('Add folder'):
      if ($user->uid>0) {
        if ($edit["name"]) {
          // check for uniqueness
          if (!db_result(db_query("SELECT name FROM {privatemsg_folder} WHERE name = '%s' AND uid = '%d'", $edit["name"], $user->uid))) {
            db_query("INSERT INTO {privatemsg_folder} (uid, name) VALUES ('%d', '%s')", $user->uid, $edit["name"]);
          }
          $output = _privatemsg_list();
        }
        else {
          $title = t('Create new folder');
          $breadcrumb = array(l(t('Home'), ''), l('Private messages', 'privatemsg'));
          $output = _privatemsg_new_folder($edit);
        }
      }
      break;

    case t('Delete folder'):
      // check ownership
      if (db_result(db_query("SELECT fid FROM {privatemsg_folder} WHERE fid = '%d' AND uid = '%d'", $edit["current_folder"], $user->uid))) {
        db_query("DELETE FROM {privatemsg_folder} WHERE fid = '%d'", $edit["current_folder"]);
        db_query("UPDATE {privatemsg} SET recipient_del = 1 WHERE folder = '%d'", $edit["current_folder"]);
      }

      $output = _privatemsg_list();
      break;
    case t('Empty folder'):
      if ($user->uid>0) {
        $fid = $edit["current_folder"];

        if ($fid == 1) {
          db_query("UPDATE {privatemsg} SET author_del = 1 WHERE author = '%d'", $user->uid);
        }
        else if ($fid == 0 || db_result(db_query("SELECT fid FROM {privatemsg_folder} WHERE fid = '%d' AND uid = '%d'", $fid, $user->uid))) {
          // check ownership
          db_query("UPDATE {privatemsg} SET recipient_del = 1 WHERE folder = '%d' AND recipient = '%d'", $edit["current_folder"], $user->uid);
        }
  
        $output = _privatemsg_list();
      }
      break;
    default;
      if ($user->uid) {
        $output = _privatemsg_list();
        $title = t('Private messages');
      }
      break;
  }
  if ($output) {
    drupal_set_title($title);
    drupal_set_breadcrumb($breadcrumb);
    print theme('page', $output);
  }else{
    drupal_not_found();
  }

}
dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
CreditAttribution: dalin commented
Version: 4.6.x-1.x-dev »

changing to CVS

mindless’s picture

mindless CreditAttribution: mindless commented
Assigned: Unassigned » mindless
Status: Needs review » Needs work

This is a good start, as it blocks the operations we don't want guests to perform. However, guests still see some links they shouldn't (that will lead to access-denied with this change). I'll try to hunt those down too.

mindless’s picture

mindless CreditAttribution: mindless commented
Status: Needs work » Fixed

Fix applied to HEAD and DRUPAL-4-7. Now if you grant anonymous access to privatemsg, guests can only send private messages.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)