Mysidia Adoptables Support Forum  

Home Community Mys-Script Creative Off-Topic
Go Back   Mysidia Adoptables Support Forum > Projects > The Bug Tracker > Bug

Reading & Deleting Others' Private Messages Issue Tools
issueid=57 06-08-2016 05:37 PM
Member
Reading & Deleting Others' Private Messages
There's no check in the mail system to prevent users from reading and deleting other people's mail.

Users can edit the url to go to any private message. This allows them to read and delete other players' mail.

Here's a fix on a default installation of the Mysidia Adoptables script, this is the messages.php file. If you've modified your messages.php file use the find function to see all the places where I used "NoPermissionException('This is NOT your message" and edit your file accordingly, specifically the following methods: read, delete, outboxread, outboxdelete, draftedit, draftdelete.

messages.php
PHP Code:
<?php

use Resource\Native\String;

class 
MessagesController extends AppController{

    const 
PARAM "id";
    private 
$message;

    public function 
__construct(){
        
parent::__construct("member");    
        
$mysidia Registry::get("mysidia");        
        
$mysidia->user->getstatus();    
        if(
$mysidia->user->usergroup->getpermission("canpm") == "no"){
            throw new 
NoPermissionException("banned");
        }
    }
    
    public function 
index(){
        
$mysidia Registry::get("mysidia");
        try{
            
$total $mysidia->user->getallpms();
            
$pagination = new Pagination($total10"messages");
            
$pagination->setPage($mysidia->input->get("page"));    
            
$stmt $mysidia->db->select("messages", array(), "touser='{$mysidia->user->username}' ORDER BY id DESC LIMIT {$pagination->getLimit()},{$pagination->getRowsperPage()}");        
            
$this->setField("pagination"$pagination);
            
$this->setField("stmt", new DatabaseStatement($stmt));
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlagss("nonexist_title""nonexist");
        }   
    }
    
    public function 
read(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"));
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlagss("nonexist_title""nonexist");
            return;
        }    

        if (
$this->message->touser != $mysidia->user->username) {
            throw new 
NoPermissionException('This is NOT your message to read.');
            return;
        }
        
        
$this->setField("message"$this->message);
        if(!empty(
$this->message->status) and $this->message->status != "read"){
            
$this->message->status "read";
            
$this->message->setRead($this->message->status);
        }        
    }
    
    public function 
newpm(){
        
$mysidia Registry::get("mysidia");    
        if(
$mysidia->input->post("submit")){
            try{
                
$recipient = new Member($mysidia->input->post("recipient"));
                
$recipient->getoptions();
            }
            catch(
MemberNotfoundException $mne){
                
$this->setFlagss("error""error_user");
                return;                
            }
            
            
$this->validate($recipient);
              
$message = new PrivateMessage;
            
$message->setrecipient($recipient->username);
            if(
$mysidia->input->post("draft") == "yes"){
                
$message->folder "draft";
                
$message->postDraft();
            }
            elseif(
$mysidia->input->post("draftedit") == "yes"){
                
$message->setmessage($mysidia->input->post("mtitle"), $mysidia->input->post("mtext"));
                
$message->editDraft();
            }
            else 
$message->post();
        }
    }
    
    public function 
delete(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"));
            if (
$this->message->touser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to delete.');
                return;
            }
            
$this->message->remove();
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlagss("nonexist_title""nonexist");
        }    
    }
    
    public function 
outbox(){
        
$mysidia Registry::get("mysidia");
        try{
            
$total $mysidia->user->getallpms("outbox");
            
$pagination = new Pagination($total10"messages/outbox");
            
$pagination->setPage($mysidia->input->get("page"));
            
$folder $mysidia->user->getFolder("outbox"$pagination);        
            
$this->setField("pagination"$pagination);
            
$this->setField("folder"$folder);
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("message_error""outbox_empty");
        }   
    }
    
    public function 
outboxread(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "outbox");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to read.');
                return;
            }
            
$this->setField("message"$this->message);
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
            return;
        }    
    }
    
    public function 
outboxdelete(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "outbox");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to delete.');
                return;
            }
            
$this->message->remove();
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
        }    
    }
    
    public function 
draft(){
        
$mysidia Registry::get("mysidia"); 
        try{
            
$total $mysidia->user->getallpms("draft");
            
$pagination = new Pagination($total10"messages/draft");
            
$pagination->setPage($mysidia->input->get("page"));
            
$folder $mysidia->user->getFolder("draft"$pagination);
            
$this->setField("pagination"$pagination);
            
$this->setField("folder"$folder);
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("message_error""draft_empty");
        }     
    }
    
    public function 
draftedit(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "draft");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to edit.');
                return;
            }
            
$this->setField("message"$this->message);            
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
        }
    }
    
    public function 
draftdelete(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"), "draft");
            if (
$this->message->fromuser != $mysidia->user->username) {
                throw new 
NoPermissionException('This is NOT your message to delete.');
                return;
            }
            
$this->message->remove();            
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
        }
    }
    
    public function 
report(){
        
$mysidia Registry::get("mysidia");
        try{
            
$this->message = new PrivateMessage($mysidia->input->get("id"));
        }
        catch(
MessageNotfoundException $pne){
            
$this->setFlags("nonexist_title""nonexist");
            return;
        }

        if(
$mysidia->input->post("submit")){        
            
$this->message->report();
            return;
        }        
        
$admin = new Admin($mysidia->settings->systemuser);
        
$this->setField("message"$this->message);
        
$this->setField("admin"$admin);
    }
    
    protected function 
validate(User $recipient){
        
$mysidia Registry::get("mysidia");
        if(!empty(
$recipient->friends)) $friends explode(","$recipient->friends);
        
$isfriend = (empty($recipient->friends) or !in_array($mysidia->user->uid$friends))?"no":"yes";            
        if(
$recipient->options->pmstatus == and $isfriend == "no") throw new InvalidActionException("error_friend");
        if(!
$mysidia->input->post("mtitle") or !$mysidia->input->post("mtext")) throw new InvalidActionException("error_blank");
        if(
$mysidia->input->post("outbox") == "yes" and $mysidia->input->post("draft")) throw new InvalidActionException("draft_conflict");     
    }
}
Issue Details
Project The Bug Tracker
Category Unknown
Status Unconfirmed
Priority 1 - Highest
Affected Version Mys v1.3.4
Fixed Version (none)
Users able to reproduce bug 2
Users unable to reproduce bug 0
Assigned Users (none)
Tags (none)

Reply

Issue Tools
Subscribe to this issue

All times are GMT -5. The time now is 05:51 AM.

Currently Active Users: 154 (2 members and 152 guests)
Threads: 3,895, Posts: 31,005, Members: 15,448
Welcome to our newest members, laurenannedaniel.
BER





What's New?

What's Hot?

What's Popular?


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.
vBCommerce I v2.0.0 Gold ©2010, PixelFX Studios
vBCredits I v2.0.0 Gold ©2010, PixelFX Studios
Emoticons by darkmoon3636