summaryrefslogtreecommitdiff
path: root/modules/user/controllers/users.php
diff options
context:
space:
mode:
authorAndy Staudacher <andy.st@gmail.com>2010-02-11 13:11:31 -0800
committerAndy Staudacher <andy.st@gmail.com>2010-02-11 13:11:31 -0800
commitcd98f85260efd90cc93db78ee1efed997d0221c2 (patch)
treece98b7b9fadadc4ba4b5b42907f56fa5d88767e4 /modules/user/controllers/users.php
parent1ada27916fa4575f6b093db17f4165d8cce16088 (diff)
Fix for ticket 1010: Don't leak valid user names in "forgot password" form.
Includes fixes for user forms as well (edit user / email / password).
Diffstat (limited to 'modules/user/controllers/users.php')
-rw-r--r--modules/user/controllers/users.php12
1 files changed, 6 insertions, 6 deletions
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 0730f391..cd7d271f 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -20,7 +20,7 @@
class Users_Controller extends Controller {
public function update($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -63,7 +63,7 @@ class Users_Controller extends Controller {
public function change_password($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -99,7 +99,7 @@ class Users_Controller extends Controller {
public function change_email($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -134,7 +134,7 @@ class Users_Controller extends Controller {
public function form_edit($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -143,7 +143,7 @@ class Users_Controller extends Controller {
public function form_change_password($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -152,7 +152,7 @@ class Users_Controller extends Controller {
public function form_change_email($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-16 18:05:02 +0000