[Fusionforge-general] [Fusionforge-commits] r16200 - in branches: Branch_5_1/src/common/include Branch_5_1/src/debian Branch_5_1/src/www/include Branch_5_1/src/www/top Branch_5_2/src/common/include Branch_5_2/src/debian Branch_5_2/src/www/include Branch_5_2/src/www/top wheezy/common/include wheezy/debian wheezy/www/include wheezy/www/top

Franck Villaume franck.villaume at trivialdev.com
Mon Sep 3 19:56:54 CEST 2012


Le 03/09/2012 14:09, Thorsten Glaser a écrit :
> Author: mirabilos
> Date: 2012-09-03 14:09:31 +0200 (Mon, 03 Sep 2012)
> New Revision: 16200
> 
> Modified:
>    branches/Branch_5_1/src/common/include/Stats.class.php
>    branches/Branch_5_1/src/debian/changelog
>    branches/Branch_5_1/src/www/include/user_home.php
>    branches/Branch_5_1/src/www/top/toplist.php
>    branches/Branch_5_2/src/common/include/Stats.class.php
>    branches/Branch_5_2/src/debian/changelog
>    branches/Branch_5_2/src/www/include/user_home.php
>    branches/Branch_5_2/src/www/top/toplist.php
>    branches/wheezy/common/include/Stats.class.php
>    branches/wheezy/debian/changelog
>    branches/wheezy/www/include/user_home.php
>    branches/wheezy/www/top/toplist.php
> Log:
> SECURITY: Do not disclose inaccessible groups on user_home/toplist

Hi, the user_home was already fix in 5.2.
But your fix is nicer than mine. I remove my code since you just include
your code at top of mine.

Check r16201 in Branch_5_2

Bye,
nerville


> 
> Modified: branches/Branch_5_2/src/www/include/user_home.php
> ===================================================================
> --- branches/Branch_5_2/src/www/include/user_home.php	2012-09-03 11:17:58 UTC (rev 16199)
> +++ branches/Branch_5_2/src/www/include/user_home.php	2012-09-03 12:09:31 UTC (rev 16200)
> @@ -6,7 +6,8 @@
>   * Copyright 2010, FusionForge Team
>   * Copyright (C) 2011 Alain Peyrat - Alcatel-Lucent
>   * Copyright 2012, Franck Villaume - TrivialDev
> - * http://fusionforge.org
> + * Copyright © 2012
> + *	Thorsten Glaser <t.glaser at tarent.de>
>   *
>   * This file is part of FusionForge. FusionForge is free software;
>   * you can redistribute it and/or modify it under the terms of the
> @@ -36,7 +37,7 @@
>  $title = _('User Profile');
>  $HTML->header(array('title'=>$title));
>  
> -echo $HTML->boxTop(_('Personal Information'), _('Personal Information')); 
> +echo $HTML->boxTop(_('Personal Information'), _('Personal Information'));
>  
>  ?>
>  
> @@ -44,9 +45,9 @@
>  
>  
>  	<?php
> -	
> +
>  	echo user_personal_information($user);
> -	
> +
>  	if (forge_get_config('use_ratings')) {
>  		echo $HTML->boxMiddle(_('Peer Rating'), _('Peer Rating'));
>          echo '<table class="my-layout-table" id="user-profile-rating">';
> @@ -105,6 +106,10 @@
>  	print "<p>"._('This developer is a member of the following projects:')."</p>\n";
>  
>  	foreach ($projects as $p) {
> +		if (!forge_check_perm('project_read', $p->getID())) {
> +			continue;
> +		}
> +
>  		$display = 0;
>  		if (!$p->isPublic()) {
>  			$currentUser = session_get_user();
> @@ -202,5 +207,3 @@
>  // mode: php
>  // c-file-style: "bsd"
>  // End:
> -
> -?>
> 


-- 
TrivialDev Founder
http://trivialdev.com



More information about the Fusionforge-general mailing list