diff options
author | Ed Lyons <ejlyons@ix.netcom.com> | 2013-02-02 17:58:59 -0500 |
---|---|---|
committer | Steve Clay <steve@mrclay.org> | 2013-02-02 20:55:22 -0500 |
commit | 035f68a467ab50776c3f52af0cceb750d60cb4a9 (patch) | |
tree | 31160c537dd6c1745fe7f6db089a1e897ea454a5 /mod/messages/start.php | |
parent | 9b8839602051aa1b5c441695ae897c0b049ff889 (diff) | |
download | elgg-035f68a467ab50776c3f52af0cceb750d60cb4a9.tar.gz elgg-035f68a467ab50776c3f52af0cceb750d60cb4a9.tar.bz2 |
Update mod/messages/start.php
We had an Elgg user named Chris Read with username 'read'. Once he registered, people's messages stopped working because hitting a message in your inbox was a url like: [site_name]/messages/read/459 - and the message code, supporting the old URL format, looked up the parameter right after messages and did a lookup on that word. So, since it got a user, redirected to his inbox. Yipes! So I put in some code checking that the parameter really is your username, so it would work for Chris, but not for anyone else. It works fine now.
Diffstat (limited to 'mod/messages/start.php')
-rw-r--r-- | mod/messages/start.php | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/mod/messages/start.php b/mod/messages/start.php index e17640098..95ebffbdb 100644 --- a/mod/messages/start.php +++ b/mod/messages/start.php @@ -85,8 +85,17 @@ function messages_page_handler($page) { // supporting the old inbox url /messages/<username> $user = get_user_by_username($page[0]); if ($user) { - $page[1] = $page[0]; - $page[0] = 'inbox'; + // Need to make sure that the username of the parameter is actually + // the username of the logged in user. This will prevent strange + // errors like grabbing the 'read' parameter and looking up + // a user with username 'read' and finding it and redirecting + // to that other person's inbox. + + if ($user->username == elgg_get_logged_in_user_entity()->username) { + // OK, so it is our username and not someone else's + $page[1] = $page[0]; + $page[0] = 'inbox'; + } } if (!isset($page[1])) { |