diff options
author | Cash Costello <cash.costello@gmail.com> | 2013-02-23 08:05:01 -0500 |
---|---|---|
committer | Cash Costello <cash.costello@gmail.com> | 2013-02-23 08:05:01 -0500 |
commit | 9bda5425d8a1e33ce42ea11de12918706768c39b (patch) | |
tree | b92870c7db03630b5534958ee7ac4f22b24b509c /pages | |
parent | 262424936a83d9fc6968a261381a4c2ba95d0f0f (diff) | |
download | elgg-9bda5425d8a1e33ce42ea11de12918706768c39b.tar.gz elgg-9bda5425d8a1e33ce42ea11de12918706768c39b.tar.bz2 |
Fixes #5126 forwards on attempts to access someone else's settings page
Diffstat (limited to 'pages')
-rw-r--r-- | pages/settings/account.php | 3 | ||||
-rw-r--r-- | pages/settings/statistics.php | 3 | ||||
-rw-r--r-- | pages/settings/tools.php | 5 |
3 files changed, 7 insertions, 4 deletions
diff --git a/pages/settings/account.php b/pages/settings/account.php index 1bf71973b..962e1fc37 100644 --- a/pages/settings/account.php +++ b/pages/settings/account.php @@ -11,7 +11,8 @@ gatekeeper(); // Make sure we don't open a security hole ... if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) { - elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); + register_error(elgg_echo('noaccess')); + forward('/'); } $title = elgg_echo('usersettings:user'); diff --git a/pages/settings/statistics.php b/pages/settings/statistics.php index 9df71ec5e..9dcc9211d 100644 --- a/pages/settings/statistics.php +++ b/pages/settings/statistics.php @@ -11,7 +11,8 @@ gatekeeper(); // Make sure we don't open a security hole ... if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) { - elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); + register_error(elgg_echo('noaccess')); + forward('/'); } $title = elgg_echo("usersettings:statistics"); diff --git a/pages/settings/tools.php b/pages/settings/tools.php index daf381728..ed6b941c0 100644 --- a/pages/settings/tools.php +++ b/pages/settings/tools.php @@ -6,12 +6,13 @@ * @subpackage Core */ -// Make sure only valid users can see this +// Only logged in users gatekeeper(); // Make sure we don't open a security hole ... if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) { - elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); + register_error(elgg_echo('noaccess')); + forward('/'); } $title = elgg_echo("usersettings:plugins"); |