From 035f68a467ab50776c3f52af0cceb750d60cb4a9 Mon Sep 17 00:00:00 2001 From: Ed Lyons Date: Sat, 2 Feb 2013 17:58:59 -0500 Subject: Update mod/messages/start.php We had an Elgg user named Chris Read with username 'read'. Once he registered, people's messages stopped working because hitting a message in your inbox was a url like: [site_name]/messages/read/459 - and the message code, supporting the old URL format, looked up the parameter right after messages and did a lookup on that word. So, since it got a user, redirected to his inbox. Yipes! So I put in some code checking that the parameter really is your username, so it would work for Chris, but not for anyone else. It works fine now. --- mod/messages/start.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/mod/messages/start.php b/mod/messages/start.php index e17640098..95ebffbdb 100644 --- a/mod/messages/start.php +++ b/mod/messages/start.php @@ -85,8 +85,17 @@ function messages_page_handler($page) { // supporting the old inbox url /messages/ $user = get_user_by_username($page[0]); if ($user) { - $page[1] = $page[0]; - $page[0] = 'inbox'; + // Need to make sure that the username of the parameter is actually + // the username of the logged in user. This will prevent strange + // errors like grabbing the 'read' parameter and looking up + // a user with username 'read' and finding it and redirecting + // to that other person's inbox. + + if ($user->username == elgg_get_logged_in_user_entity()->username) { + // OK, so it is our username and not someone else's + $page[1] = $page[0]; + $page[0] = 'inbox'; + } } if (!isset($page[1])) { -- cgit v1.2.3 From a72b4bce06062fa0a6f2fbd7489fac3474c3dc24 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sat, 2 Feb 2013 21:19:22 -0500 Subject: Handle logged out case, simplify logic --- mod/messages/start.php | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/mod/messages/start.php b/mod/messages/start.php index 95ebffbdb..5503a675a 100644 --- a/mod/messages/start.php +++ b/mod/messages/start.php @@ -74,32 +74,30 @@ function messages_init() { */ function messages_page_handler($page) { + $current_user = elgg_get_logged_in_user_entity(); + if (!$current_user) { + register_error(elgg_echo('noaccess')); + $_SESSION['last_forward_from'] = current_page_url(); + forward(''); + } + elgg_load_library('elgg:messages'); - elgg_push_breadcrumb(elgg_echo('messages'), 'messages/inbox/' . elgg_get_logged_in_user_entity()->username); + elgg_push_breadcrumb(elgg_echo('messages'), 'messages/inbox/' . $current_user->username); if (!isset($page[0])) { $page[0] = 'inbox'; } - // supporting the old inbox url /messages/ - $user = get_user_by_username($page[0]); - if ($user) { - // Need to make sure that the username of the parameter is actually - // the username of the logged in user. This will prevent strange - // errors like grabbing the 'read' parameter and looking up - // a user with username 'read' and finding it and redirecting - // to that other person's inbox. - - if ($user->username == elgg_get_logged_in_user_entity()->username) { - // OK, so it is our username and not someone else's - $page[1] = $page[0]; - $page[0] = 'inbox'; - } + // Support the old inbox url /messages/, but only if it matches the logged in user. + // Otherwise having a username like "read" on the system could confuse this function. + if ($current_user->username === $page[0]) { + $page[1] = $page[0]; + $page[0] = 'inbox'; } if (!isset($page[1])) { - $page[1] = elgg_get_logged_in_user_entity()->username; + $page[1] = $current_user->username; } $base_dir = elgg_get_plugins_path() . 'messages/pages/messages'; -- cgit v1.2.3