Skip to main content
Topic: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1) (Read 2411 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Just sharing a bug to make Elkarte perfect :D

My fingers are very itchy indeed.. so was testing out what happens when a member isn't allowed to view others' profile.......

And then when I log in through that fake member's account, there's no page to say that the section is off limits.. It simply goes to a HTTP ERROR 500 page. :(

Facta, non verba.

Re: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Reply #1

Sorry, my mind is a little numb, would you mind explaining step by step what you did?
Something like:
1) create two accounts with no particular groups,
2) registered members don't have "view others profiles" permission,
3) ...
Bugs creator.
Features destroyer.
Template killer.

Re: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Reply #2

1) All permissions in "Post count based groups" are set to 0.

2) User is given a Primary Membergroup "Active Member".

3) View profile summary and stats of "Active Member" for -
Own profile:   
Any profile:   
BOTH set to "cleared" - meaning unchecked.

4) When the user tries to view other people's profile, it goes to HTTP ERROR 500.

5) :'(
Facta, non verba.

Re: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Reply #3

The two errors are here, if it helps:


      // Set the template for this area... if you still can :P
      // and add the profile layer.
      $context['sub_template'] = $this->_profile_include_data['function'];
      Template_Layers::getInstance()->add('profile');

in Profile.controller.php - Undefined index: function



   else
   {
      // a single function name... call it over!
      $selectedMenu['function']();
   }

in Menu.subs.php - Undefined index: function
Facta, non verba.

Re: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Reply #4

Ohh... okay, now I got it.
It's a kind of special case: in the particular situation you are describing, the registered members still have the permission to send PMs, and this becomes the only action the members are allowed to do, so Elk tries to send them to the "send PM" page, though, send pm is a special case, because it's handled by the PM controllers and so it uses a custom url and not a function, soooo Elk tries to use the function, but it doesn't find it and that generates an error.

I see two ways to "fix" this behaviour: 1) redirect to the only possible action, 2) stop the members and present the "you are not allowed" page.
I would lean towards 2, but I'm not entirely sure.
Bugs creator.
Features destroyer.
Template killer.

Re: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Reply #5

Oh wow.. you're right, so the minute I unchecked the Send Personal Message, then it goes to this:
Sorry, we can't let you access this section. We can't even tell you if it exists. You're welcome to visit the main page and choose your way from there

No more errors! :D

Hmm......... so if it was 1), then it would be to redirect to the "Send Personal Message to that person"'s page, right?

But if you can't view another person's profile, then I would guess normally you shouldn't be able to message that person as well... otherwise why would the admin bar a person from viewing other people's profile.. hmm.. So I guess 2) is a good option too.. but hmm.....
Facta, non verba.

Re: View Any Profile (Permission Cleared) - HTTP ERROR 500 (1.1)

Reply #6

First case is by mistake: someone doesn't realize that the two are two totally independent permissions and may assign them that way (denied view, allowed pm).
Second case... well, PM permission is anyway necessary to for example contact the administrators, so it may be necesary to have.
Third: privacy, the admin do not want other peoples lurking into profile pages, but is fine with them communicating via a private-ish means.
Bugs creator.
Features destroyer.
Template killer.