Mysidia Adoptables Support Forum  

Home Community Mys-Script Creative Off-Topic
Go Back   Mysidia Adoptables Support Forum > Projects > The Bug Tracker > Bug

Notices

Reading & Deleting Others' Private Messages Issue Tools
issueid=57 06-08-2016 06:37 PM
Member
Reading & Deleting Others' Private Messages
There's no check in the mail system to prevent users from reading and deleting other people's mail.

Users can edit the url to go to any private message. This allows them to read and delete other players' mail.

Here's a fix on a default installation of the Mysidia Adoptables script, this is the messages.php file. If you've modified your messages.php file use the find function to see all the places where I used "NoPermissionException('This is NOT your message" and edit your file accordingly, specifically the following methods: read, delete, outboxread, outboxdelete, draftedit, draftdelete.

messages.php
PHP Code:
<?php

use Resource\Native\String;

class 
MessagesController extends AppController{

    const 
PARAM "id";
    private 
$message;

    public function 
__construct(){
        
parent::__construct("member");    
        
$mysidia Registry::get("mysidia");        
        
$mysidia->user->getstatus();    
        if(
$mysidia->user->usergroup->getpermission("canpm") == "no"){
            throw new 
NoPermissionException("banned");
        }
    }
    
    public function 
index(){
        
$mysidia Registry::get("mysidia");
        try{
            
$total $mysidia->user->getallpms();
            
$pagination = new Pagination($total10"messages");
            
$pagination->setPage($mysidia->input->get("page"));    
            
$stmt $mysidia->db->select("messages", array(), "touser='{$mysidia->user->username}' ORDER BY id DESC LIMIT {$pagination->getLimit()},{$pagination->getRowsperPage()}");        
            
$this->setField("pagination"$pagination);
            
$this->setField("stmt", new DatabaseStatement($stmt));
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlagss("nonexist_title""nonexist");
        }   
    }
    
    public function 
read(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"));
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlagss("nonexist_title""nonexist");
            return;
        }    

        if (
$this->message->touser != $mysidia->user->username) {
            throw new 
NoPermissionException('This is NOT your message to read.');
            return;
        }
        
        
$this->setField("message"$this->message);
        if(!empty(
$this->message->status) and $this->message->status != "read"){
            
$this->message->status "read";
            
$this->message->setRead($this->message->status);
        }        
    }
    
    public function 
newpm(){
        
$mysidia Registry::get("mysidia");    
        if(
$mysidia->input->post("submit")){
            try{
                
$recipient = new Member($mysidia->input->post("recipient"));
                
$recipient->getoptions();
            }
            catch(
MemberNotfoundException $mne){
                
$this->setFlagss("error""error_user");
                return;                
            }
            
            
$this->validate($recipient);
              
$message = new PrivateMessage;
            
$message->setrecipient($recipient->username);
            if(
$mysidia->input->post("draft") == "yes"){
                
$message->folder "draft";
                
$message->postDraft();
            }
            elseif(
$mysidia->input->post("draftedit") == "yes"){
                
$message->setmessage($mysidia->input->post("mtitle"), $mysidia->input->post("mtext"));
                
$message->editDraft();
            }
            else 
$message->post();
        }
    }
    
    public function 
delete(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"));
            if (
$this->message->touser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to delete.');
                return;
            }
            
$this->message->remove();
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlagss("nonexist_title""nonexist");
        }    
    }
    
    public function 
outbox(){
        
$mysidia Registry::get("mysidia");
        try{
            
$total $mysidia->user->getallpms("outbox");
            
$pagination = new Pagination($total10"messages/outbox");
            
$pagination->setPage($mysidia->input->get("page"));
            
$folder $mysidia->user->getFolder("outbox"$pagination);        
            
$this->setField("pagination"$pagination);
            
$this->setField("folder"$folder);
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("message_error""outbox_empty");
        }   
    }
    
    public function 
outboxread(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "outbox");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to read.');
                return;
            }
            
$this->setField("message"$this->message);
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
            return;
        }    
    }
    
    public function 
outboxdelete(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "outbox");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to delete.');
                return;
            }
            
$this->message->remove();
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
        }    
    }
    
    public function 
draft(){
        
$mysidia Registry::get("mysidia"); 
        try{
            
$total $mysidia->user->getallpms("draft");
            
$pagination = new Pagination($total10"messages/draft");
            
$pagination->setPage($mysidia->input->get("page"));
            
$folder $mysidia->user->getFolder("draft"$pagination);
            
$this->setField("pagination"$pagination);
            
$this->setField("folder"$folder);
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("message_error""draft_empty");
        }     
    }
    
    public function 
draftedit(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "draft");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to edit.');
                return;
            }
            
$this->setField("message"$this->message);            
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
        }
    }
    
    public function 
draftdelete(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "draft");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to delete.');
                return;
            }
            
$this->message->remove();            
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
        }
    }
    
    public function 
report(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"));
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
            return;
        }

        if(
$mysidia->input->post("submit")){        
            
$this->message->report();
            return;
        }        
        
$admin = new Admin($mysidia->settings->systemuser);
        
$this->setField("message"$this->message);
        
$this->setField("admin"$admin);
    }
    
    protected function 
validate(User $recipient){
        
$mysidia Registry::get("mysidia");
        if(!empty(
$recipient->friends)) $friends explode(","$recipient->friends);
        
$isfriend = (empty($recipient->friends) or !in_array($mysidia->user->uid$friends))?"no":"yes";            
        if(
$recipient->options->pmstatus == and $isfriend == "no") throw new InvalidActionException("error_friend");
        if(!
$mysidia->input->post("mtitle") or !$mysidia->input->post("mtext")) throw new InvalidActionException("error_blank");
        if(
$mysidia->input->post("outbox") == "yes" and $mysidia->input->post("draft")) throw new InvalidActionException("draft_conflict");     
    }
}
Issue Details
Project The Bug Tracker
Category Unknown
Status Unconfirmed
Priority 1 - Highest
Affected Version Mys v1.3.4
Fixed Version Mys v1.3.5
Users able to reproduce bug 2
Users unable to reproduce bug 0
Assigned Users (none)
Tags (none)

12-01-2020 01:10 PM
Administrator, Lead Coder
 
Weird I didnt see this issue earlier. It has been addressed and will be fixed in the next release.
Reply
03-12-2021 07:08 PM
Member
 
Quote:
Originally Posted by Hall of Famer
Weird I didnt see this issue earlier. It has been addressed and will be fixed in the next release.
Has this been fixed in version 1.3.5?
Reply
03-15-2021 05:06 PM
Administrator, Lead Coder
 
Yes this is not an issue in Mys v1.3.5.
Reply
Reply

All times are GMT -5. The time now is 11:40 PM.

Currently Active Users: 732 (0 members and 732 guests)
Threads: 4,081, Posts: 32,032, Members: 2,016
Welcome to our newest members, jolob.
BETA





What's New?

What's Hot?

What's Popular?


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
vBCommerce I v2.0.0 Gold ©2010, PixelFX Studios
vBCredits I v2.0.0 Gold ©2010, PixelFX Studios
Emoticons by darkmoon3636