Major bug in 1.3.3 don't know if it carries over

[Infernette]

So anyone can read messages sent to people in 1.3.3 due to the fact that they rotate by ID and the id's aren't random strings. (Can we please get a viable codegen that doesn't dupe codes plz plz plz plz plz) If you're using 1.3.3. add this after the if($mysidia->user->group ect ect) end } and it should work dandy. It's best though to look for a codegen and have the id's a string of 20 characters(don't use the default gen that is on the site as it can produce a duplicate entry. I do not know if the system was upgraded in 1.3.4 so this could be a big issue in that gen. I only found it cause I'm reworking everything but the basic $mysidia base on a test base. For science.

PHP Code:

    if($this->action == "read"){
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80") {
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
} else {
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
}//this here

$parts = Explode('/', $pageURL);
$the = $parts[count($parts) - 1];
$message = $mysidia->db->select("messages", array(), "id='{$the}'")->fetchObject();
if($message->touser != $mysidia->user->username)throw new NoPermissionException("This isn't your message.");
} 


ALSO I'm looking for someone who can point me to a REALLY BASIC site framework or tutorial, one that has things like calling the db through a $var(like on here) a theme, and *maybe* a few basic pages(i.e. Index). If anyone knows a good basic barebones tutorial it'd be sweet. :)

[Hwona]

I'd love to have this fixed. :L

[Abronsyth]

So this should be placed after this code in Messages.php?

PHP Code:

        if($mysidia->user->usergroup->getpermission("canpm") == "no"){
            throw new NoPermissionException($mysidia->lang->banned);
        } 


Correct?

[Hwona]

Thanks for the code Infernette!