10-21-2017, 08:56 AM
Found another major issue:
http://localhost/usercontrol/users/user_settings.php
This check is not valid:
<pre></pre>
User can open developer console (for in chrome ctrl+shift+i) and remove "readonly" - that's it, now user can change his name even if he is not allowed to.
That what I've added for myself (two additional checks):
<pre></pre>
In validate.php I added that code:
<pre></pre>
http://localhost/usercontrol/users/user_settings.php
This check is not valid:
<pre>
Code:
<?php if (($settings->change_un == 0) || (($settings->change_un == 2) && ($user->data()->un_changed == 1)) ) {
echo "<input class='form-control' type='text' name='username' value='$displayname' readonly/>";
}else{
echo "<input class='form-control' type='text' name='username' value='$displayname'>";
}?>
User can open developer console (for in chrome ctrl+shift+i) and remove "readonly" - that's it, now user can change his name even if he is not allowed to.
That what I've added for myself (two additional checks):
<pre>
Code:
$validation->check($_POST,array(
'username' => array(
'display' => 'Псевдоним',
'required' => true,
'unique_update' => 'users,'.$userId,
'min' => (int)$settings->min_un,
'max' => (int)$settings->max_un,
'valid_username' => true,
'can_change_name' => true
)
));
In validate.php I added that code:
<pre>
Code:
case 'valid_username':
if (!preg_match('/[^A-Za-z0-9]/', $value)) // using ! is important: It will save you from scanning entire user input .
{
// string contains only english letters & digits
}else{
$this->addError(["{$display} using wron format", $item]);
}
break;
case 'can_change_name':
global $settings;
global $user;
if(($settings->change_un == 0) || (($settings->change_un == 2) && ($user->data()->un_changed == 1))){
$this->addError(["You are not allowed to change your name.", $item]);
}
break;