changeset 64:f8a307aa811f

fix security hole
author Franklin Schmidt <fschmidt@gmail.com>
date Mon, 16 Sep 2024 20:53:23 -0600
parents 4987e1a38a6c
children 3d7067a23eff
files src/nabble/view/naml/edit_profile.naml src/nabble/view/naml/user_profile.naml src/nabble/view/naml/utilities.naml src/nabble/view/web/template/ServletNamespace.java src/nabble/view/web/template/UserPageNamespace.java
diffstat 5 files changed, 4 insertions(+), 23 deletions(-) [+]
line wrap: on
line diff
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/naml/edit_profile.naml
--- a/src/nabble/view/naml/edit_profile.naml	Wed Aug 28 15:34:42 2024 -0600
+++ b/src/nabble/view/naml/edit_profile.naml	Mon Sep 16 20:53:23 2024 -0600
@@ -2,13 +2,13 @@
 	<n.user_page.>
 		<n.if.not.visitor.is_registered>
 			<then>
-				<n.login.><t>You must login to view this page.</t></n.login.>
+				<n.login.><t>You must login to view this spage.</t></n.login.>
 			</then>
 		</n.if.not.visitor.is_registered>
 
 		<n.if.both condition1="[n.not.visitor.is_site_admin/]" condition2="[n.not.page_user.equals.visitor/]">
 			<then>
-				<n.login.><t>You must login to view this page.</t></n.login.>
+				<n.login.><t>You must login to view this page.</t></n.login.>
 			</then>
 		</n.if.both>
 
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/naml/user_profile.naml
--- a/src/nabble/view/naml/user_profile.naml	Wed Aug 28 15:34:42 2024 -0600
+++ b/src/nabble/view/naml/user_profile.naml	Mon Sep 16 20:53:23 2024 -0600
@@ -203,7 +203,6 @@
 				<div style="margin-top:.3em">
 					<img src="/images/user_group.png" align="absmiddle" width="18" height="16"/>
 					<a href="[n.local_user.change_user_groups_path/]"><t>Add / Remove Groups</t></a>
-					| <a href="[n.local_user.edit_profile_path/]"><t>Edit Profile</t></a>
 				</div>
 			</then>
 		</n.if.visitor.is_site_admin>
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/naml/utilities.naml
--- a/src/nabble/view/naml/utilities.naml	Wed Aug 28 15:34:42 2024 -0600
+++ b/src/nabble/view/naml/utilities.naml	Mon Sep 16 20:53:23 2024 -0600
@@ -692,7 +692,7 @@
 
 <macro name="edit_profile_path" requires="user">
 	<n.encode_url.>
-		/template/NamlServlet.jtp?macro=edit_profile&user=<n.id/>
+		/template/NamlServlet.jtp?macro=edit_profile
 	</n.encode_url.>
 </macro>
 
@@ -951,7 +951,7 @@
 </macro>
 
 <macro name="user_page" dot_parameter="do" requires="servlet">
-	<n.get_user_from_parameter.as_user_page.do/>
+	<n.visitor.as_user_page.do/>
 </macro>
 
 <macro name="width_style" dot_parameter="width">
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/web/template/ServletNamespace.java
--- a/src/nabble/view/web/template/ServletNamespace.java	Wed Aug 28 15:34:42 2024 -0600
+++ b/src/nabble/view/web/template/ServletNamespace.java	Mon Sep 16 20:53:23 2024 -0600
@@ -352,20 +352,6 @@
 		out.print( interp.getArg(new NodeNamespace(node),"do") );
 	}
 
-	public static final CommandSpec get_user_from_parameter = CommandSpec.DO;
-
-	@Command public void get_user_from_parameter(IPrintWriter out,ScopedInterpreter<UserNamespace> interp)
-		throws IOException, ServletException
-	{
-		String userId = Jtp.getString(request,"user");
-		Person person = site().getPerson(userId);
-		if( person == null ) {
-			response.sendError(HttpServletResponse.SC_NOT_FOUND, "User not found.");
-			throw new ExitException();
-		}
-		out.print( interp.getArg(new UserNamespace(person),"do") );
-	}
-
 
 	Set<String> cacheEvents = null;
 
diff -r 4987e1a38a6c -r f8a307aa811f src/nabble/view/web/template/UserPageNamespace.java
--- a/src/nabble/view/web/template/UserPageNamespace.java	Wed Aug 28 15:34:42 2024 -0600
+++ b/src/nabble/view/web/template/UserPageNamespace.java	Mon Sep 16 20:53:23 2024 -0600
@@ -21,10 +21,6 @@
 public final class UserPageNamespace {
 	private UserNamespace userNs;
 
-	public UserPageNamespace(Person person) {
-		this(new UserNamespace(person));
-	}
-
 	public UserPageNamespace(UserNamespace userNs) {
 		this.userNs = userNs;
 	}