Mercurial Hosting > nabble
changeset 64:f8a307aa811f
fix security hole
author | Franklin Schmidt <fschmidt@gmail.com> |
---|---|
date | Mon, 16 Sep 2024 20:53:23 -0600 |
parents | 4987e1a38a6c |
children | 3d7067a23eff |
files | src/nabble/view/naml/edit_profile.naml src/nabble/view/naml/user_profile.naml src/nabble/view/naml/utilities.naml src/nabble/view/web/template/ServletNamespace.java src/nabble/view/web/template/UserPageNamespace.java |
diffstat | 5 files changed, 4 insertions(+), 23 deletions(-) [+] |
line wrap: on
line diff
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/naml/edit_profile.naml --- a/src/nabble/view/naml/edit_profile.naml Wed Aug 28 15:34:42 2024 -0600 +++ b/src/nabble/view/naml/edit_profile.naml Mon Sep 16 20:53:23 2024 -0600 @@ -2,13 +2,13 @@ <n.user_page.> <n.if.not.visitor.is_registered> <then> - <n.login.><t>You must login to view this page.</t></n.login.> + <n.login.><t>You must login to view this spage.</t></n.login.> </then> </n.if.not.visitor.is_registered> <n.if.both condition1="[n.not.visitor.is_site_admin/]" condition2="[n.not.page_user.equals.visitor/]"> <then> - <n.login.><t>You must login to view this page.</t></n.login.> + <n.login.><t>You must login to view this page.</t></n.login.> </then> </n.if.both>
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/naml/user_profile.naml --- a/src/nabble/view/naml/user_profile.naml Wed Aug 28 15:34:42 2024 -0600 +++ b/src/nabble/view/naml/user_profile.naml Mon Sep 16 20:53:23 2024 -0600 @@ -203,7 +203,6 @@ <div style="margin-top:.3em"> <img src="/images/user_group.png" align="absmiddle" width="18" height="16"/> <a href="[n.local_user.change_user_groups_path/]"><t>Add / Remove Groups</t></a> - | <a href="[n.local_user.edit_profile_path/]"><t>Edit Profile</t></a> </div> </then> </n.if.visitor.is_site_admin>
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/naml/utilities.naml --- a/src/nabble/view/naml/utilities.naml Wed Aug 28 15:34:42 2024 -0600 +++ b/src/nabble/view/naml/utilities.naml Mon Sep 16 20:53:23 2024 -0600 @@ -692,7 +692,7 @@ <macro name="edit_profile_path" requires="user"> <n.encode_url.> - /template/NamlServlet.jtp?macro=edit_profile&user=<n.id/> + /template/NamlServlet.jtp?macro=edit_profile </n.encode_url.> </macro> @@ -951,7 +951,7 @@ </macro> <macro name="user_page" dot_parameter="do" requires="servlet"> - <n.get_user_from_parameter.as_user_page.do/> + <n.visitor.as_user_page.do/> </macro> <macro name="width_style" dot_parameter="width">
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/web/template/ServletNamespace.java --- a/src/nabble/view/web/template/ServletNamespace.java Wed Aug 28 15:34:42 2024 -0600 +++ b/src/nabble/view/web/template/ServletNamespace.java Mon Sep 16 20:53:23 2024 -0600 @@ -352,20 +352,6 @@ out.print( interp.getArg(new NodeNamespace(node),"do") ); } - public static final CommandSpec get_user_from_parameter = CommandSpec.DO; - - @Command public void get_user_from_parameter(IPrintWriter out,ScopedInterpreter<UserNamespace> interp) - throws IOException, ServletException - { - String userId = Jtp.getString(request,"user"); - Person person = site().getPerson(userId); - if( person == null ) { - response.sendError(HttpServletResponse.SC_NOT_FOUND, "User not found."); - throw new ExitException(); - } - out.print( interp.getArg(new UserNamespace(person),"do") ); - } - Set<String> cacheEvents = null;
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/web/template/UserPageNamespace.java --- a/src/nabble/view/web/template/UserPageNamespace.java Wed Aug 28 15:34:42 2024 -0600 +++ b/src/nabble/view/web/template/UserPageNamespace.java Mon Sep 16 20:53:23 2024 -0600 @@ -21,10 +21,6 @@ public final class UserPageNamespace { private UserNamespace userNs; - public UserPageNamespace(Person person) { - this(new UserNamespace(person)); - } - public UserPageNamespace(UserNamespace userNs) { this.userNs = userNs; }