Page 1 of 2

Hide Memberlist

Posted: Fri Jul 01, 2005 6:04 pm
by 570thusaag
Is there any way to hide a memberlist from the "guests"?

I have looked around a bit, and can't seem to find a way to do this (config, searched here, etc...)

What I really want is not so much to hide the memberlist, but rather to make it impossible for anyone that is not registered to email someone from that list, and I don't want to disable email between members.

I know this might sound like a mod request, but it isn't - first I am trying to find out if there is a way to do this in the reg php stock program.

Thanks!

Posted: Fri Jul 01, 2005 9:13 pm
by Wo1f
Hello 570thusaag!

You could manually adjust "index_body.tpl" to hide access to the memberlist when a visitor is not logged in, by moving the
"<!-- BEGIN switch_user_logged_out -->" and "<!-- END switch_user_logged_out -->"
switch to include or exclude what you want. BUT, there is a simple solution to your specific question, and yes it's a mod.
Works as advertized and bonus to boot... on v2.0.16!

Hope this helps!
Wolf

Posted: Fri Jul 01, 2005 9:16 pm
by Marshalrusty
This will redirect all non registered members to the login page.

Open up memberlist.php

Find:

Code: Select all

init_userprefs($userdata);
After add:

Code: Select all

if ($userdata['user_id'] == ANONYMOUS)
{
	redirect(append_sid('login.'.$phpEx));
}

Posted: Fri Jul 01, 2005 9:38 pm
by Wo1f
Marshalrusty wrote: This will redirect all non registered members to the login page.

Open up memberlist.php

Find:

Code: Select all

init_userprefs($userdata);
After add:

Code: Select all

if ($userdata['user_id'] == ANONYMOUS)
{
	redirect(append_sid('login.'.$phpEx));
}


And that's... a SECURITY risk!! which has been identified in the mod thread that I mentionned above.

replace with:

Code: Select all

redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));
Regards
Wolf

Posted: Fri Jul 01, 2005 9:51 pm
by 570thusaag
Much thanks to you all- I am using the mod suggested (I had seen it before) coupled with Forum Permissions... things are working out just the way I was hoping they would.

Thanks again.

Posted: Fri Jul 01, 2005 10:11 pm
by Wo1f
Your welcome! :wink:

Posted: Fri Jul 01, 2005 10:36 pm
by Marshalrusty
Wo1f wrote: And that's... a SECURITY risk!! which has been identified in the mod thread that I mentionned above.


How is that a security risk? I failed to find that in the thread

This I want to hear

Re: Hide Memberlist

Posted: Fri Jul 01, 2005 11:46 pm
by noth
570thusaag wrote: What I really want is not so much to hide the memberlist, but rather to make it impossible for anyone that is not registered to email someone from that list, and I don't want to disable email between members.


570 - you mean - you think that a guest can email a registered user?

That has never been the case since 2.0.5 at least 8O

I can't believe that every other poster on this thread has missed this basic point

Re: Hide Memberlist

Posted: Sat Jul 02, 2005 12:12 am
by 570thusaag
noth wrote: 570 - you mean - you think that a guest can email a registered user?

That has never been the case since 2.0.5 at least 8O

I can't believe that every other poster on this thread has missed this basic point


Well- I can't go back (or won't put the effort into going back-I've already modded past that) to prove that point wrong or right... but I know they could veiw the memberlist, and I know all of the buttons for AIM and YIM and Email showed up... I never tried to email anyone from it... I just assumed you could, and I am about 100% certain that they could.

Posted: Sat Jul 02, 2005 12:28 am
by Wo1f
Marshalrusty wrote: How is that a security risk? I failed to find that in the thread

RTT - on page 7. Also, in the latest version package:

Code: Select all

2005-05-21 - Version 1.0.8
##	  - Security risk fixed: use values instead of QUERY_STRING for redirect.
From which version did you copy that snippet in your first post?

Peace
Wolf

Re: Hide Memberlist

Posted: Sat Jul 02, 2005 12:41 am
by Wo1f
noth wrote: 570 - you mean - you think that a guest can email a registered user?

That has never been the case since 2.0.5 at least 8O


Please feel free to correct me. I installed the mod in question a while back for many reasons, and because I noticed that guests could access a member's viewprofile and pick up whatever info was there. Whether through the memberlist or who's online for example, it certainly did not stop me from grabbing a member email.

Regards,
Wolf

Posted: Sat Jul 02, 2005 12:43 am
by Marshalrusty
I didn't take that piece of code from anywhere. I've been using that for a year or so :wink:

Unless I am VERY MUCH mistaken, there is no way that can cause a security hole. It is simply standard code. There is nothing there

Posted: Sat Jul 02, 2005 12:53 am
by Wo1f
Marshalrusty wrote: Unless I am VERY MUCH mistaken, there is no way that can cause a security hole. It is simply standard code. There is nothing there


It might be a good idea to inform the mod author, so the code could be revised in it's shorter form and we could all save some bandwidth - if it's not a security risk.

Regards,
Wolf

Posted: Sat Jul 02, 2005 12:56 am
by Marshalrusty
His problem. And he knows better, since it's his MOD.

Perhaps that is not what he meant when he said security risk failed

I haven't looked at the MOD so idk. There could be a reason why he did it his way. THere probably is

Posted: Sat Jul 02, 2005 1:18 am
by Wo1f
Marshalrusty wrote: His problem. And he knows better, since it's his MOD.

I'll see if I can get his attention and contribution to this thread. I take security very seriously as I'm sure you do also.

Marshalrusty wrote: Perhaps that is not what he meant when he said security risk failed

Speculation...

Marshalrusty wrote: I haven't looked at the MOD so idk. There could be a reason why he did it his way. THere probably is

It's a very simple mod (but also very efficient) that can be installed in a few minutes with one hand tied behind your back. :wink:

Regards,
Wolf