Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Bug: "Remove Picture" appears for everyone

edited November 2009 in Vanilla 2.0 - 2.8
On any profile page, when not logged in or logged in as another user, the "Remove Picture" link shows in the sidebar. Clicking it will result in a Permission Denied error.


Line 483 of applications/garden/controllers/profile.php $SideMenu->AddLink('Options', 'Remove Picture', '/profile/removepicture/'.$this->User->UserID.'/'.$Session->TransientKey(), FALSE, array('class' => 'RemovePictureLink'));
This should be corrected to
$SideMenu->AddLink('Options', 'Remove Picture', '/profile/removepicture/'.$this->User->UserID.'/'.$Session->TransientKey(), 'Garden.Users.Edit', array('class' => 'RemovePictureLink')); (Note the change of the fourth parameter (Required permission) from 'FALSE' to 'Garden.Users.Edit')

Comments

Sign In or Register to comment.