Hide Memberlist

This forum is now closed as part of retiring phpBB2
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
StefanKausL
Registered User
Posts: 36
Joined: Fri Jul 09, 2004 7:20 pm
Location: Germany
Contact:

Post by StefanKausL »

Marshalrusty wrote:

Code: Select all

redirect(append_sid('login.'.$phpEx));

Wo1f wrote:

Code: Select all

redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));


Both lines are correct and involve NO security risk. The longer line directs a user to the member page instead of the index page AFTER login.

Version 1.0.7 of the mod Redirect anonymous users to login used the following line, which was a bit risky because of an unparsed query string - don't do that!

Code: Select all

redirect(append_sid('login.'.$phpEx.'?redirect=profile.'.$phpEx.'&'.$HTTP_SERVER_VARS['QUERY_STRING']));
It was immediately fixed in version 1.0.8.

TMB
Registered User
Posts: 474
Joined: Sat Sep 18, 2004 8:07 am

Re: Hide Memberlist

Post by TMB »

570thusaag wrote: I know they could veiw the memberlist, and I know all of the buttons for AIM and YIM and Email showed up... I never tried to email anyone from it... I just assumed you could, and I am about 100% certain that they could.

That might well be the case for your board, but unless I'm missing a configuration setting somewhere, it's certainly not normal behaviour for phpBB. My boards have no such MODs, yet email buttons don't appear until the user is logged in.

Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

StefanKausL wrote: Both lines are correct and involve NO security risk. The longer line directs a user to the member page instead of the index page AFTER login.

Version 1.0.7 of the mod Redirect anonymous users to login used the following line, which was a bit risky because of an unparsed query string - don't do that!

Code: Select all

redirect(append_sid('login.'.$phpEx.'?redirect=profile.'.$phpEx.'&'.$HTTP_SERVER_VARS['QUERY_STRING']));
It was immediately fixed in version 1.0.8.


Thanks for taking the time to clarify this Stefan. I'd rather be safe than sorry. :wink: There you go Marshalrusty, now we can put this one to rest. All is well that ends well... and also confirmed by the mod author. The short version is safe contrary to my initial belief.

Peace
Wolf

User avatar
route66
Registered User
Posts: 340
Joined: Sat Jul 05, 2003 5:39 pm
Location: Chicago, IL

Post by route66 »

Marshalrusty wrote: This will redirect all non registered members to the login page.

Open up memberlist.php

Find:

Code: Select all

init_userprefs($userdata);
After add:

Code: Select all

if ($userdata['user_id'] == ANONYMOUS)
{
	redirect(append_sid('login.'.$phpEx));
}

Excellent dude!! EXCELLENT !!!

User avatar
HCP
Registered User
Posts: 172
Joined: Wed Jun 22, 2005 8:10 am
Location: Australia
Contact:

Post by HCP »

Wo1f wrote:

Code: Select all

redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));


There's a flaw with that. It redirects anyone from memberlist.php to index.php, regardless if they are guests or registered users.

geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

HCP wrote:
Wo1f wrote:

Code: Select all

redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));


There's a flaw with that. It redirects anyone from memberlist.php to index.php, regardless if they are guests or registered users.


Umm yeah, were did you see them say to use that line alone. Never.

User avatar
HCP
Registered User
Posts: 172
Joined: Wed Jun 22, 2005 8:10 am
Location: Australia
Contact:

Post by HCP »

geocator wrote:
HCP wrote:
Wo1f wrote:

Code: Select all

redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));


There's a flaw with that. It redirects anyone from memberlist.php to index.php, regardless if they are guests or registered users.


Umm yeah, were did you see them say to use that line alone. Never.

Where did you see them say not to use that line alone? I'm just trying to learn something here.

StefanKausL
Registered User
Posts: 36
Joined: Fri Jul 09, 2004 7:20 pm
Location: Germany
Contact:

Post by StefanKausL »

Here is the complete code snippet for memberlist.php:

Code: Select all

if ($userdata['user_id'] == ANONYMOUS)
{
   redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));
}
Therefore only anonymous users are directed to the login page. After successful login they are directed to the memberlist.

Timber_Ghost
Registered User
Posts: 59
Joined: Sat Jan 22, 2005 10:07 pm

Post by Timber_Ghost »

This mod works great...But I was testing it out and found that when I was not logged in I could access members e-mail by going to their profile from reading their posts...How do I stop this...??

If this has been brought up before.... I'm sorry I could not find it....

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29253
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Post by Marshalrusty »

Timber_Ghost wrote: This mod works great...But I was testing it out and found that when I was not logged in I could access members e-mail by going to their profile from reading their posts...How do I stop this...??

If this has been brought up before.... I'm sorry I could not find it....


You're not supposed to be able to get access to user's emails if you are not logged in at all.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

StefanKausL
Registered User
Posts: 36
Joined: Fri Jul 09, 2004 7:20 pm
Location: Germany
Contact:

Post by StefanKausL »

Instead of the code snippets posted here you should install the MOD:
Redirect anonymous users to login

Post Reply

Return to “[2.0.x] MOD Requests”