user can see other users flags by changing the URL
tomsm - October 5, 2009 - 19:46
| Project: | Flag |
| Version: | 6.x-2.x-dev |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
I have a question regarding security.
The URL that a user gets when he opens his "bookmarks" tab in his user profile is:
http://localhost/drupal/en/user/1/favorites
But when he changes the argument (1) to something else, for example (2), he sees the flags of user 2.
How can I prevent this?
#1
Views doesn't provide any way to restrict access to a view based on the User ID matching the current user, so I'm not sure if you can set up a path like user/x/favorites. However, you can emulate the default "bookmarks" view that comes with Flag and just set up a path at "/favorites", which uses limits all flaggings to the current user instead of all users.
#2
Would it be possible to validate the Uid argument with php code to check if the argument is the Uid of the current user?
If yes, can someone help me with this php code? It should return true if the uid == current user.
#3
No one?
#4
Interesting, but I didnt get you.
First of all the link for the bookmarks for my drupal settings are:
drupal-6.14/?q=user/4/bookmarks
I navigated to
Home » Administer » Site building » Views » Edit view flag_bookmarks
but I cant see anywhere on how to set up a path at/"favorites" .
How should I proceed from Edit view flag_bookmarks?
#5
In your url there is a "?q=user/%/". I recommend that you enable clean urls. Then you can set a path like user/%/favorites where % is the user id. You have to select the Page display in the view. Then in the first column you will see the "Page settings". The path setting allows you to change the path.
The problem I have is that when a user changes the user id (%) in the url, he is able to see the flagged content of other users.
#6
You can use this PHP code to validate that the argument matches the current user. You should make the argument show "Access denied/Page not found" as the option for what to do if the validation fails.
In the PHP code validation area use this (without the PHP brackets):
<?phpreturn $argument == $GLOBALS['user']->uid;
?>
#7
Thanks! The PHP validation works great.
Shouldn't this be committed?
I also removed the "all" wildcard.
#8
If you mean that there should be a feature to "Validate user argument is current user", then a request should be filed with the Views project.
#9
I have submitted a feature request with the Views project: http://drupal.org/node/605142
#10
Great, marking fixed as a support request.
#11
Automatically closed -- issue fixed for 2 weeks with no activity.