aboutsummaryrefslogtreecommitdiff
path: root/mod/messages
diff options
context:
space:
mode:
authorEd Lyons <ejlyons@ix.netcom.com>2013-02-02 17:58:59 -0500
committerSteve Clay <steve@mrclay.org>2013-02-02 20:55:22 -0500
commit035f68a467ab50776c3f52af0cceb750d60cb4a9 (patch)
tree31160c537dd6c1745fe7f6db089a1e897ea454a5 /mod/messages
parent9b8839602051aa1b5c441695ae897c0b049ff889 (diff)
downloadelgg-035f68a467ab50776c3f52af0cceb750d60cb4a9.tar.gz
elgg-035f68a467ab50776c3f52af0cceb750d60cb4a9.tar.bz2
Update mod/messages/start.php
We had an Elgg user named Chris Read with username 'read'. Once he registered, people's messages stopped working because hitting a message in your inbox was a url like: [site_name]/messages/read/459 - and the message code, supporting the old URL format, looked up the parameter right after messages and did a lookup on that word. So, since it got a user, redirected to his inbox. Yipes! So I put in some code checking that the parameter really is your username, so it would work for Chris, but not for anyone else. It works fine now.
Diffstat (limited to 'mod/messages')
-rw-r--r--mod/messages/start.php13
1 files changed, 11 insertions, 2 deletions
diff --git a/mod/messages/start.php b/mod/messages/start.php
index e17640098..95ebffbdb 100644
--- a/mod/messages/start.php
+++ b/mod/messages/start.php
@@ -85,8 +85,17 @@ function messages_page_handler($page) {
// supporting the old inbox url /messages/<username>
$user = get_user_by_username($page[0]);
if ($user) {
- $page[1] = $page[0];
- $page[0] = 'inbox';
+ // Need to make sure that the username of the parameter is actually
+ // the username of the logged in user. This will prevent strange
+ // errors like grabbing the 'read' parameter and looking up
+ // a user with username 'read' and finding it and redirecting
+ // to that other person's inbox.
+
+ if ($user->username == elgg_get_logged_in_user_entity()->username) {
+ // OK, so it is our username and not someone else's
+ $page[1] = $page[0];
+ $page[0] = 'inbox';
+ }
}
if (!isset($page[1])) {