Jump to content
Invision Community
Owdy

Feature reguest: change themes via URL

Recommended Posts

The ability to change anyone's skin was reported as a CSRF exploit, so I'm afraid you won't see that functionality back. Essentially, people could make image links that did silent redirects to change your skin without your knowledge/permission. That's what the member hash protects against, and is why it was added to the "change skin" url. So no one can change your skin without you actually doing it yourself.

Share this post


Link to post
Share on other sites

Then do it like SMF, if you change theme via url, it lasts only that session. Browser reboot resets it back to users default

Like this:

http://nakokulma.net/index.php?theme=35
http://nakokulma.net/index.php?theme=34

Share this post


Link to post
Share on other sites

But....your skin still changes. That doesn't change the "exploit", only how long the user will be affected by the exploit.


Take the lowest common denominator here. Someone's grandmother who only ever signs online to read some posts on her favorite scrapbooking forum. She logs in, visits a thread she thinks will be interesting, and suddenly the layout is drastically different, the colors are different, the background is black instead of green, the text is white instead of red. She'd be thoroughly confused and have no idea what is going on. All because someone forced her skin to change without her involvement. While tame, it's a valid "exploit" we have to protect against, and so we are.

Share this post


Link to post
Share on other sites

Thats bit long shot, i dont see this as "exploit" :D Someone's grandmother could accitendly change skin via that dropdown also, or grandaddy could do that when he uses same computer

Share this post


Link to post
Share on other sites

Yes you can, you just have to add the variable in the URL.



<a href='http://mysite.com/index.php?setskin=1&etc.&k={$this->member->form_hash}'>Change to mobile</a>



Is that session only or permanent change?

Share this post


Link to post
Share on other sites

The ability to change anyone's skin was reported as a CSRF exploit, so I'm afraid you won't see that functionality back. Essentially, people could make image links that did silent redirects to change your skin without your knowledge/permission. That's what the member hash protects against, and is why it was added to the "change skin" url. So no one can change your skin without you actually doing it yourself.



What if something is done so that if a skin change is done without the session key, it will prompt the user if they want to change the skin or not (at least if they have a session key to compare with).

Share this post


Link to post
Share on other sites

What if something is done so that if a skin change is done without the session key, it will prompt the user if they want to change the skin or not (at least if they have a session key to compare with).




This I believe would be an ideal solution as it would allow the "best of both" worlds so to speak. Particularly given that 3.1 now has a fully extensible notifications system.

Share this post


Link to post
Share on other sites

I would also say that it is a useful feature.

Now in 3.0.5, I have a problem with user-agent detection for guests visiting the site with a mobile device.

I do not want a guest to be able to change the skin-choice for all guests to the mobile skin (as there are less ads on the mobile skin than on the main skin).

Therefore, I have not enabled the mobile skin for the 'guest' group, so the user-agent detected mobile skin is only shown to logged in users.

I'm not sure if I made myself completely clear, but I would like to be able to change the skin either by url or somehow by using a sub-url, such as http://mobile.yourwebsite.com/

Thanks!

Share this post


Link to post
Share on other sites

Try this attached file.

Put it in your root forum directory and then when you want to link directly to a skin, use:

yoursite.com/forum/skinchange.php?id=X (where X, the skin ID).

This will of course override the CRSF protection, but you have the option. I'll add this into the 'tools' folder in 3.1.

Share this post


Link to post
Share on other sites

See the URL mapping section here: http://community.invisionpower.com/resources/official.html?record=162



That's a good thing to know, but still, this doesn't overrule that a guest would not be allowed to see such skin...

Share this post


Link to post
Share on other sites

That's a good thing to know, but still, this doesn't overrule that a guest would not be allowed to see such skin...




Then don't set Guests able to use the skin. You're contradicting yourself here, you want guests using mobile devices to be able to use the skin but you don't want guests able to use the skin. You want to do it by URL but don't want to do it by URL mapping.

I know IPS is good, but they haven't mastered Quantum Theory yet.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×