From cd98f85260efd90cc93db78ee1efed997d0221c2 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Thu, 11 Feb 2010 13:11:31 -0800
Subject: Fix for ticket 1010: Don't leak valid user names in "forgot password"
 form. Includes fixes for user forms as well (edit user / email / password).

---
 modules/user/controllers/users.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'modules/user/controllers/users.php')

diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 0730f391..cd7d271f 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -20,7 +20,7 @@
 class Users_Controller extends Controller {
   public function update($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != identity::active_user()->id) {
+    if (!$user || $user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -63,7 +63,7 @@ class Users_Controller extends Controller {
 
   public function change_password($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != identity::active_user()->id) {
+    if (!$user || $user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -99,7 +99,7 @@ class Users_Controller extends Controller {
 
   public function change_email($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != identity::active_user()->id) {
+    if (!$user || $user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -134,7 +134,7 @@ class Users_Controller extends Controller {
 
   public function form_edit($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != identity::active_user()->id) {
+    if (!$user || $user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -143,7 +143,7 @@ class Users_Controller extends Controller {
 
   public function form_change_password($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != identity::active_user()->id) {
+    if (!$user || $user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -152,7 +152,7 @@ class Users_Controller extends Controller {
 
   public function form_change_email($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != identity::active_user()->id) {
+    if (!$user || $user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
-- 
cgit v1.2.3