Home›Forums›Feature Requests›Volunteer Sign-Up Sheets – Feature Requests›security thingie
- This topic has 3 replies, 2 voices, and was last updated 9 years, 1 month ago by Stephen Sherrard.
-
AuthorPosts
-
-
November 1, 2015 at 12:47 PM #7024Franky Van LiedekerkeParticipant
When logged in, the user id is set as hidden field in the signup form, but this can be falsified so one could change the name/phone info of a wordpress user like that.
The correct way would be to get the user id in the function add_signup (in classes/data.php) via get_current_user_id() if the user is logged in, not transmitting it as a hidden field.On another note, for the question about submitting signups from the backend: you could do that from the frontend too via e.g. auto-completion assuming you have the right “admin” role. Then you could just transmit the signup-id as a hidden field, and in the signup function get the relevant info from that id if it is set. I’d be happy to supply some code for this.
-
November 1, 2015 at 2:26 PM #7028Stephen SherrardKeymaster
For the first part, I would argue how much of a “security” risk that is, since that hidden field is ONLY there if the user is logged in when filling out the sign-up form. So, unless you are a site that allows anyone to register, with no checks for spammers, it would not be an issue. Beyond that, the name and phone info is ONLY updated if it was previously NOT set for that particular user. So, no, a malicious user could not use it to change the name or phone number of somebody who already has that info set in their profile. Plus, everything is validated before the form is submitted, and then sanitized before the info is saved, so, worst case, if you allow malicious users to register on your site, and they can guess the user id of another user who doesn’t have that info already in their profile, they can add a fake name or phone number to that other user’s profile, which would never be shown to the public anyway in most WordPress setups. They can’t utilize that for any kind of malicious code.
For the second part, I’m happy to accept code additions & contributions to the project, especially since I have pretty much stopped all development on these free plugins, with the exceptions of bug & compatibility fixes.
-
November 4, 2015 at 9:06 AM #7057Franky Van LiedekerkeParticipant
Hi,
I’ve changed the code to allow auto-completion if you have the signup manager capability, and that takes into account the userid of the volunteer if choosen.
If interested, please let me know the email you want to receive this on. -
November 4, 2015 at 9:16 AM #7059Stephen SherrardKeymaster
Thanks. You can send it to stephen AT stephensherrardplugins.com
-
-
AuthorPosts
- The topic ‘security thingie’ is closed to new replies.