Commit d83a6fa9 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Deny access to logged out users viewing profiles that don't exist yet (bug 3129)

parent 45d3205a
......@@ -396,6 +396,10 @@ class User {
public function get_profile_view() {
$viewid = get_field('view', 'id', 'type', 'profile', 'owner', $this->get('id'));
if (!$viewid) {
global $USER;
if (!$USER->get('id')) {
return null;
}
return $this->install_profile_view();
}
return new View($viewid);
......
......@@ -122,7 +122,7 @@ class View {
* Creates a View for the given user, based off a given template and other
* View information supplied.
*
* Will set a default title of 'Copy of $viewtitle' if not title is
* Will set a default title of 'Copy of $viewtitle' if title is not
* specified in $viewdata.
*
* @param array $viewdata See View::_create
......
......@@ -55,7 +55,7 @@ $userobj = new User();
$userobj->find_by_id($userid);
$view = $userobj->get_profile_view();
# access will either be logged in (always) or public as well
if (!can_view_view($view->get('id'))) {
if (!$view || !can_view_view($view->get('id'))) {
throw new AccessDeniedException();
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment