headers
Alec Taylor | 16 Jun 2012 06:02
Picon

[web2py] Bug in web2py cookbook — facebook-clone example

I just installed the facebook-clone example, and started fiddling around by testing its features.

Issue

Attempts to view profile+wall of people offering friendship redirects you to your wall.

Steps to reproduce

  1. Create an account
  2. Add some wall updates
  3. Logout
  4. Create a different account
  5. Add some [different] wall updates
  6. Search for first profile
  7. Click link to view profile
  8. Add that person as friend
  9. Logout
  10. Login as first profile
  11. Click "Friends" tab
  12. Note that "Friendship Offered" now includes hyperlinked name of second profile with [accept] [deny] buttons
  13. Click second profile name
  14. Presented with own profile
Issue reported: https://github.com/mdipierro/web2py-recipes-source/issues/1
Permalink | Reply |
headers
Alan Etkin | 17 Jun 2012 01:03
Picon
Gravatar

[web2py] Re: Bug in web2py cookbook — facebook-clone example

This is the facebook clone very dire user policy's fault.

Unless you had requested friendship for the other user and he has accepted you, you cannot see his profile.

You could hack this security check:

(default.py line 102)

if not user or not (user.id==me or \
    myfriends(Link.target==user.id).count()):
    redirect(URL('home'))


And change it by this more permissive statement:
if not user or not (user.id==me or \
    myfriends(Link.target==user.id).count() or \
    db(db.link.target==me).count()):
    redirect(URL('home'))

Issue

Attempts to view profile+wall of people offering friendship redirects you to your wall.

Permalink | Reply |
headers
Alan Etkin | 17 Jun 2012 01:13
Picon
Gravatar

[web2py] Re: Bug in web2py cookbook — facebook-clone example

Sorry. Too permissive. I meant this:

if not user or not (user.id==me or \
    myfriends(Link.target==user.id).count() or \
    db((db.link.source==user.id) & \
    (db.link.target==me)).count()):
    redirect(URL('home'))

Now you should be able to examine a users profile before you decide to accept the link.

El sábado, 16 de junio de 2012 20:03:22 UTC-3, Alan Etkin escribió:
And change it by this more permissive statement:
if not user or not (user.id==me or \
    myfriends(Link.target==user.id).count() or \
    db(db.link.target==me).count()):
    redirect(URL('home'))

Issue

Attempts to view profile+wall of people offering friendship redirects you to your wall.

Permalink | Reply |

Gmane