diff options
| author | Ed Lyons <ejlyons@ix.netcom.com> | 2013-02-02 17:58:59 -0500 |
|---|---|---|
| committer | Steve Clay <steve@mrclay.org> | 2013-02-02 20:55:22 -0500 |
| commit | 035f68a467ab50776c3f52af0cceb750d60cb4a9 (patch) | |
| tree | 31160c537dd6c1745fe7f6db089a1e897ea454a5 | |
| parent | 9b8839602051aa1b5c441695ae897c0b049ff889 (diff) | |
| download | elgg-035f68a467ab50776c3f52af0cceb750d60cb4a9.tar.gz elgg-035f68a467ab50776c3f52af0cceb750d60cb4a9.tar.bz2 | |
Update mod/messages/start.php
We had an Elgg user named Chris Read with username 'read'. Once he registered, people's messages stopped working because hitting a message in your inbox was a url like: [site_name]/messages/read/459 - and the message code, supporting the old URL format, looked up the parameter right after messages and did a lookup on that word. So, since it got a user, redirected to his inbox. Yipes! So I put in some code checking that the parameter really is your username, so it would work for Chris, but not for anyone else. It works fine now.
| -rw-r--r-- | mod/messages/start.php | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/mod/messages/start.php b/mod/messages/start.php index e17640098..95ebffbdb 100644 --- a/mod/messages/start.php +++ b/mod/messages/start.php @@ -85,8 +85,17 @@ function messages_page_handler($page) { // supporting the old inbox url /messages/<username> $user = get_user_by_username($page[0]); if ($user) { - $page[1] = $page[0]; - $page[0] = 'inbox'; + // Need to make sure that the username of the parameter is actually + // the username of the logged in user. This will prevent strange + // errors like grabbing the 'read' parameter and looking up + // a user with username 'read' and finding it and redirecting + // to that other person's inbox. + + if ($user->username == elgg_get_logged_in_user_entity()->username) { + // OK, so it is our username and not someone else's + $page[1] = $page[0]; + $page[0] = 'inbox'; + } } if (!isset($page[1])) { |