Content Plus - disable "Mail to Friend"

dad7732 · Posted: Thu Aug 19, 2010 9:07 am

I think I did this once before on the other server, but nonetheless I need to be able to disable anonymous users from being able to email content entries to friends, etc. Only reg'd users to have the ability or disable it altogether.

Jon?

Cheers

Palbin · Posted: Thu Aug 19, 2010 10:18 am

You need to find the appropriate section of code and wrap it in

Code:

if (is_user($user))) {

}

dad7732 · Posted: Thu Aug 19, 2010 10:54 am

Ok, I have three lines referring to mailing to "friend":

Code:

case 'share_page': include('modules/'.$module_name.'/var/friend.php'); break;

The other two lines just echo an output to screen.

Wrap just this line above, like?:

Code:

if (is_user($user))) {
case 'share_page': include('modules/'.$module_name.'/var/friend.php'); break;
}

What about just commenting out the line instead?

Thanks

dad7732 · Posted: Thu Aug 19, 2010 10:58 am

Commenting out the line works, when clicking on the envelope to mail to a friend, it just brings back the content index page. But I don't know if this is the RIGHT way to do it, re:, ill effects?? Don't see any .. yet. Wink

Palbin · Posted: Thu Aug 19, 2010 11:05 am

Try this.

Code:

case 'share_page':
if (is_user($user))) {
   include('modules/' . $module_name . '/var/friend.php');
} else {
   header('Location: ../../modules.php?name=' . $module_name);
   die();
}
break;

I would still wrap the echo statements in:

Code:

if (is_user($user))) {

}

jestrella · Posted: Thu Aug 19, 2010 10:04 pm

Will work the way you proposed! But links will still be shown to anonymous users.

BTW it sure need to be a registered only function, So I'll address this for next release...

dad7732 · Posted: Fri Aug 20, 2010 6:09 am

jestrella wrote:

Will work the way you proposed! But links will still be shown to anonymous users.

BTW it sure need to be a registered only function, So I'll address this for next release...

I made it so that te envelope icon doesn't show and therefore neither does the link .. Smile

Cheers

jestrella · Posted: Fri Aug 20, 2010 7:57 am

Great, anyways I'll be working on this for next release...

dad7732 · Posted: Fri Aug 20, 2010 8:42 am

Thanks for your attention. I can fix problems with bandaids, just can't do it programmatically. Sad

Cheers

dad7732 · Posted: Thu Oct 28, 2010 11:28 am

Somehow or another, the problem returned, I think by re-uploading the distro when I changed servers. Ok tho, I disabled the "friend email" for the time being until a future release.

Cheers

montego · Posted: Sat Oct 30, 2010 9:42 am

Guys, it is one thing to not show a link and an entirely different thing if you also do not disable that function altogether. Once the "attack vector" is known, ie., the op=FriendSend, you have to disable that function altogether.

dad7732 · Posted: Sat Oct 30, 2010 9:50 am

Very true, but mine is "disabled", url does not work, just brings up the Content again.

Cheers

montego · Posted: Sat Oct 30, 2010 10:08 am

Sorry, meant op=SendPage. Just remember that the attacker doesn't have to link into the FriendSend page to do this. I can create a form on my own site with a post to the SendPage op with all the fields filled in (or just send the post from a program). You really need to disable to SendPage function for anonymous if you really want to stop this.

dad7732 · Posted: Sat Oct 30, 2010 10:54 am

That doesn't work either but I don't remember disabling it anywhere.

montego · Posted: Sat Oct 30, 2010 11:11 am

dad7732, if you want me to try, PM me your site link.

dad7732 · Posted: Sat Oct 30, 2010 11:16 am

Better yet, PM me the URL to try.

montego · Posted: Sat Oct 30, 2010 5:31 pm

dad7732, I can't just give you a link because that would be a GET request and the code is looking for a POST. You may want to try to see if you can get to the content page using:

Only registered users can see links on this board!
Get registered or login to the forums!

(change the content id to whatever you have that is available)

Beyond this, I do not want to disclose any more than this. The rest of what we do should be via PM or just send me an email (since my email address hasn't changed since being on the RN Team Wink

) and we can work through this off-line.

montego · Posted: Sun Oct 31, 2010 8:51 am

jestrella wrote:

BTW it sure need to be a registered only function, So I'll address this for next release...

Any way you can maybe make that configurable? News and some blog sites allow you to "share article" type capability and these are anonymous. Someone might still want this capability. However, if I allow anonymous on my site, I would want the RN captcha protecting the final send of that form (again configurable in rnconfig.php with the other module-level captcha settings).

dad7732 · Posted: Sun Oct 31, 2010 9:46 am

It works on a site where friend is not disabled but does not work on one that is.

Cheers