security thingie

Viewing 3 reply threads
  • Author
    Posts
    • #7024

      When logged in, the user id is set as hidden field in the signup form, but this can be falsified so one could change the name/phone info of a wordpress user like that.
      The correct way would be to get the user id in the function add_signup (in classes/data.php) via get_current_user_id() if the user is logged in, not transmitting it as a hidden field.

      On another note, for the question about submitting signups from the backend: you could do that from the frontend too via e.g. auto-completion assuming you have the right “admin” role. Then you could just transmit the signup-id as a hidden field, and in the signup function get the relevant info from that id if it is set. I’d be happy to supply some code for this.

    • #7028
      Stephen Sherrard
      Keymaster

      For the first part, I would argue how much of a “security” risk that is, since that hidden field is ONLY there if the user is logged in when filling out the sign-up form. So, unless you are a site that allows anyone to register, with no checks for spammers, it would not be an issue. Beyond that, the name and phone info is ONLY updated if it was previously NOT set for that particular user. So, no, a malicious user could not use it to change the name or phone number of somebody who already has that info set in their profile. Plus, everything is validated before the form is submitted, and then sanitized before the info is saved, so, worst case, if you allow malicious users to register on your site, and they can guess the user id of another user who doesn’t have that info already in their profile, they can add a fake name or phone number to that other user’s profile, which would never be shown to the public anyway in most WordPress setups. They can’t utilize that for any kind of malicious code.

      For the second part, I’m happy to accept code additions & contributions to the project, especially since I have pretty much stopped all development on these free plugins, with the exceptions of bug & compatibility fixes.

    • #7057

      Hi,

      I’ve changed the code to allow auto-completion if you have the signup manager capability, and that takes into account the userid of the volunteer if choosen.
      If interested, please let me know the email you want to receive this on.

    • #7059
      Stephen Sherrard
      Keymaster

      Thanks. You can send it to stephen AT stephensherrardplugins.com

Viewing 3 reply threads
  • The topic ‘security thingie’ is closed to new replies.