Madcool979 Posted April 29, 2007 Posted April 29, 2007 It would be nice to allow for a guest preview for the member's profile. Where thet can only see pic and maybe some general info. Also if we can add more features such as the ability to add/link more pictures.Also can remote link to personal picture be added back? Any reasons why it was removed?
Mat Barrie Posted April 30, 2007 Posted April 30, 2007 Was remote linking ever possible for personal photo? I know you could (and still can) with avatars, but I never knew you could with personal photos. That said, I would agree that remote linking should be consistent between personal photo and avatar - if in fact you can't remote link photos.
TCWT Posted April 30, 2007 Posted April 30, 2007 It was a dumb move to disable remote linking for personal photos.
thecowgoesmoo207 Posted April 30, 2007 Posted April 30, 2007 It would be somewhat simple to implement the guest preview feature you mentioned. You'd just need to add a few lines of code to check if the person viewing the profile had an account or not and have it show the profile only to registered members and show only the member name and photo to guests. Most of it would be copy & paste from other parts of the profile actually.
Rοb Posted May 1, 2007 Posted May 1, 2007 It would be nice to allow for a guest preview for the member's profile. Where thet can only see pic and maybe some general info. Also if we can add more features such as the ability to add/link more pictures.Your members can add more pictures and have them displayed in their profile if you purchase and install the gallery component. Example profile here.Was remote linking ever possible for personal photo?Yes.It was a dumb move to disable remote linking for personal photos.Features do not get removed from the software for no reason and i would imagine the decision wasn't taken lightly (i.e in a rash/"dumb" move).As far as i am aware (and am pretty sure) the change was made for security purposes and i wouldn't be at all surprised if remote linking to avatars also got the chop in a future release...
bfarber Posted May 1, 2007 Posted May 1, 2007 Remote linking indeed was removed for security purposes. Remote linking opens up CSRF and Social Engineering attacks, as well as traffic monitoring and other lesser issues. Examples:1) User remote links to a photo. Photo does a silent redirect using location header to {REQUEST_URL}act=sql&query=drop+table+ibf_posts ....not good...2) User remote links to a photo, which he's added htaccess protection to. Viewers who aren't so savvy get a prompt trying to view the profile for a username + password. User enters their forum details thinking it's the forum they are viewing requesting these details...or in a worst case scenario, and admin who's not so savvy does the same.3) User's remote photo logs IP, Referer, Date+Time, etc. (not a security issue, but still a privacy issue since the user didn't actually go to the remote site)There are other possibilities, but at the end of the day it just opens up security issues that we have no way to combat locally from a forum. Since photos are displayed in the ACP, it was a higher priority due to the CSRF attack vectors.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.