Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Bug: "Remove Picture" appears for everyone
On any profile page, when not logged in or logged in as another user, the "Remove Picture" link shows in the sidebar. Clicking it will result in a Permission Denied error.
Line 483 of applications/garden/controllers/profile.php
This should be corrected to
Line 483 of applications/garden/controllers/profile.php
$SideMenu->AddLink('Options', 'Remove Picture', '/profile/removepicture/'.$this->User->UserID.'/'.$Session->TransientKey(), FALSE, array('class' => 'RemovePictureLink'));
This should be corrected to
$SideMenu->AddLink('Options', 'Remove Picture', '/profile/removepicture/'.$this->User->UserID.'/'.$Session->TransientKey(), 'Garden.Users.Edit', array('class' => 'RemovePictureLink'));
(Note the change of the fourth parameter (Required permission) from 'FALSE' to 'Garden.Users.Edit') 0
Comments
Thanks for the catch!