Hi,

I use Campaign monitor module. Users can choose to suscribe during registration.

But in anonymous user, i can access to URL (with any uid registered): http://mysite.com/user/[uid]/newsletters and can access the form (see attachment)

An anonymous user shouldn't be able to see this form except in the registration page.

Any idea ? Thx.

Nicolas

CommentFileSizeAuthor
issue.png2.77 KBNicolas92

Comments

Nicolas92’s picture

Nicolas92 commented

I fixed it by adding few lines :

function campaignmonitor_user_form() {
global $user;
// Replace api_key and list_id with your own details
$api_key = variable_get('campaignmonitor_api_key', '');
$list_id = variable_get('campaignmonitor_list_id', '');
$email = $user->mail;
$arg2 = arg(2);
if((!$user->uid && $arg2 == 'register') || ($user->uid)){
if (_campaignmonitor_is_subscribed($api_key, $list_id, $email, TRUE)) {
$default = TRUE;
}
else {
$default = FALSE;
}
$form['subscribe_newsletter'] = array(
'#type' => 'checkbox',
'#title' => variable_get('campaignmonitor_userpagedisplaytext', 'Newsletter'),
'#default_value' => $default,
);
$form['is_subscribed'] = array(
'#type' => 'hidden',
'#default_value' => $default,
);
$form['submit'] = array('#type' => 'submit', '#value' => t('Save'));
return $form;
}else{
drupal_goto('my_url');
}
}

kevinquillen’s picture

kevinquillen commented
Priority: Normal » Critical

Whoa, this is pretty bad bug. Anonymous people can see anyones newsletter subscriptions and submit it.

#1 fixed it for me.

matglas86’s picture

matglas86 commented
Status: Active » Needs work

Bug is fixed in the latest release of the module. (6.x-3.0) @Nicolas92 could you create a patch for 2.3 based on your suggestion.

kevinquillen’s picture

kevinquillen commented

Thanks

kevinquillen’s picture

kevinquillen commented

Thanks

crea’s picture

crea commented

This is still not fixed in 3.x beta 2
You can still access the form

crea’s picture

crea commented

I've created a separate issue for 3.x: #997412: User newsletters access control

ssherriff’s picture

ssherriff commented
Status: Needs work » Fixed

Committed to CVS will be released with next version of the 6.x-2.x branch.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.