FS#1329 Update Profile doesn't check auth capabilities correctly

ACL & Authentication

• 

  2008-02-05 andy.webber

  The "Update Profile" functionality does not correctly check which features can actually be modified by the auth backend.
  
  Firstly, there is a bug in html.php:html_updateprofile() where the wrong canDo capability is checked (to change e-mail address, the ability to change name is checked in error):
  $ diff html.php html.php.distrib
  979c979
  <       <input type="text" name="email" <?php if(!$auth->canDo('modMail')) echo 'disabled="disabled"'?> class="edit" size="50" value="<?php echo formText($_POST['email'])?>" />
  ---
  >       <input type="text" name="email" <?php if(!$auth->canDo('modName')) echo 'disabled="disabled"'?> class="edit" size="50" value="<?php echo formText($_POST['email'])?>" />
  
  Secondly, changes are required in auth.php:updateprofile()  to cope with unmodified FORM elements not being posted and to make sure that a rogue client can not post values that should not be modifiable:
  
  $ diff auth.php auth.php.distrib
  627,628c627
  <   if ((empty($_POST['fullname']) && $auth->canDo('modName')) ||
  <      (empty($_POST['email']) && $auth->canDo('modMail'))) {
  ---
  >   if (empty($_POST['fullname']) || empty($_POST['email'])) {
  633c632
  <   if (!mail_isvalid($_POST['email']) && $auth->canDo['modPass']){
  ---
  >   if (!mail_isvalid($_POST['email'])){
  638,640c637,639
  <   if ($_POST['fullname'] != $INFO['userinfo']['name'] && $auth->canDo('modName')) $changes['name'] = $_POST['fullname'];
  <   if ($_POST['email']    != $INFO['userinfo']['mail'] && $auth->canDo('modMail')) $changes['mail'] = $_POST['email'];
  <   if (!empty($_POST['newpass']) && $auth->canDo['modPass'])  $changes['pass'] = $_POST['newpass'];
  ---
  >   if ($_POST['fullname'] != $INFO['userinfo']['name']) $changes['name'] = $_POST['fullname'];
  >   if ($_POST['email']    != $INFO['userinfo']['mail']) $changes['mail'] = $_POST['email'];
  >   if (!empty($_POST['newpass']))  $changes['pass'] = $_POST['newpass'];
• 

  2008-11-13 andy.webber

  diff attached

  • auth.php.diff text/plain
• 

  2009-06-03 andy.webber

  looks like the fix that went into the code is incomplete as disabled fields are still checked. Diff on 2008-05-05 code here:
  --- auth.php 2008-11-13 08:45:04.000000000 -0800
  +++ auth.php.distrib 2008-11-13 08:34:20.000000000 -0800
  @@ -644,13 +644,12 @@
    $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['fullname']));
    $_POST['email']    = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['email']));
  
  -  if ((empty($_POST['fullname']) && $auth->canDo('modName')) ||
  -      (empty($_POST['email']) && $auth->canDo('modMail'))) {
  +  if (empty($_POST['fullname']) || empty($_POST['email'])) {
      msg($lang['profnoempty'],-1);
      return false;
    }
  
  -  if (!mail_isvalid($_POST['email']) && $auth->canDo('modMail')){
  +  if (!mail_isvalid($_POST['email'])){
      msg($lang['regbadmail'],-1);
      return false;
    }
  
• 

  2009-11-28 andi

  patch applied