Deny access to logged out users viewing profiles that don't exist yet (bug 3129)

d83a6fa9 · Richard Mansfield · 45d3205a · d83a6fa9 · d83a6fa9 · d83a6fa9
Commit d83a6fa9 authored Feb 10, 2009 by Richard Mansfield
--- a/htdocs/auth/user.php
+++ b/htdocs/auth/user.php
@@ -396,6 +396,10 @@ class User {
    public function get_profile_view() {
        $viewid = get_field('view', 'id', 'type', 'profile', 'owner', $this->get('id'));
        if (!$viewid) {
+            global $USER;
+            if (!$USER->get('id')) {
+                return null;
+            }
            return $this->install_profile_view();
        }
        return new View($viewid);

--- a/htdocs/lib/view.php
+++ b/htdocs/lib/view.php
@@ -122,7 +122,7 @@ class View {
     * Creates a View for the given user, based off a given template and other 
     * View information supplied.
     *
-     * Will set a default title of 'Copy of $viewtitle' if not title is 
+     * Will set a default title of 'Copy of $viewtitle' if title is not 
     * specified in $viewdata.
     *
     * @param array $viewdata See View::_create

--- a/htdocs/user/view.php
+++ b/htdocs/user/view.php
@@ -55,7 +55,7 @@ $userobj = new User();
 $userobj->find_by_id($userid);
 $view = $userobj->get_profile_view();
 # access will either be logged in (always) or public as well
-if (!can_view_view($view->get('id'))) {
+if (!$view || !can_view_view($view->get('id'))) {
    throw new AccessDeniedException();
 }