Code: Select all
init_userprefs($userdata);
Code: Select all
if ($userdata['user_id'] == ANONYMOUS)
{
redirect(append_sid('login.'.$phpEx));
}
Marshalrusty wrote: This will redirect all non registered members to the login page.
Open up memberlist.php
Find:After add:Code: Select all
init_userprefs($userdata);
Code: Select all
if ($userdata['user_id'] == ANONYMOUS) { redirect(append_sid('login.'.$phpEx)); }
Code: Select all
redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));
Wo1f wrote: And that's... a SECURITY risk!! which has been identified in the mod thread that I mentionned above.
570thusaag wrote: What I really want is not so much to hide the memberlist, but rather to make it impossible for anyone that is not registered to email someone from that list, and I don't want to disable email between members.
noth wrote: 570 - you mean - you think that a guest can email a registered user?
That has never been the case since 2.0.5 at least 8O
I can't believe that every other poster on this thread has missed this basic point
Marshalrusty wrote: How is that a security risk? I failed to find that in the thread
Code: Select all
2005-05-21 - Version 1.0.8
## - Security risk fixed: use values instead of QUERY_STRING for redirect.
noth wrote: 570 - you mean - you think that a guest can email a registered user?
That has never been the case since 2.0.5 at least 8O
Marshalrusty wrote: Unless I am VERY MUCH mistaken, there is no way that can cause a security hole. It is simply standard code. There is nothing there
Marshalrusty wrote: His problem. And he knows better, since it's his MOD.
Marshalrusty wrote: Perhaps that is not what he meant when he said security risk failed
Marshalrusty wrote: I haven't looked at the MOD so idk. There could be a reason why he did it his way. THere probably is