aboutsummaryrefslogtreecommitdiff
path: root/pages
diff options
context:
space:
mode:
authorCash Costello <cash.costello@gmail.com>2013-02-23 08:05:01 -0500
committerCash Costello <cash.costello@gmail.com>2013-02-23 08:05:01 -0500
commit9bda5425d8a1e33ce42ea11de12918706768c39b (patch)
treeb92870c7db03630b5534958ee7ac4f22b24b509c /pages
parent262424936a83d9fc6968a261381a4c2ba95d0f0f (diff)
downloadelgg-9bda5425d8a1e33ce42ea11de12918706768c39b.tar.gz
elgg-9bda5425d8a1e33ce42ea11de12918706768c39b.tar.bz2
Fixes #5126 forwards on attempts to access someone else's settings page
Diffstat (limited to 'pages')
-rw-r--r--pages/settings/account.php3
-rw-r--r--pages/settings/statistics.php3
-rw-r--r--pages/settings/tools.php5
3 files changed, 7 insertions, 4 deletions
diff --git a/pages/settings/account.php b/pages/settings/account.php
index 1bf71973b..962e1fc37 100644
--- a/pages/settings/account.php
+++ b/pages/settings/account.php
@@ -11,7 +11,8 @@ gatekeeper();
// Make sure we don't open a security hole ...
if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) {
- elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+ register_error(elgg_echo('noaccess'));
+ forward('/');
}
$title = elgg_echo('usersettings:user');
diff --git a/pages/settings/statistics.php b/pages/settings/statistics.php
index 9df71ec5e..9dcc9211d 100644
--- a/pages/settings/statistics.php
+++ b/pages/settings/statistics.php
@@ -11,7 +11,8 @@ gatekeeper();
// Make sure we don't open a security hole ...
if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) {
- elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+ register_error(elgg_echo('noaccess'));
+ forward('/');
}
$title = elgg_echo("usersettings:statistics");
diff --git a/pages/settings/tools.php b/pages/settings/tools.php
index daf381728..ed6b941c0 100644
--- a/pages/settings/tools.php
+++ b/pages/settings/tools.php
@@ -6,12 +6,13 @@
* @subpackage Core
*/
-// Make sure only valid users can see this
+// Only logged in users
gatekeeper();
// Make sure we don't open a security hole ...
if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) {
- elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+ register_error(elgg_echo('noaccess'));
+ forward('/');
}
$title = elgg_echo("usersettings:plugins");