Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Profile.json - Get email from non-admin users!

Hey all,

I've looked around in the core files and on the forums but cannot find this information. I am using profile.json for an inhouse SSO of sorts. The issue is I need to access the user's email address. Testing, this works fine...however I did not know that non-admin users will not have their email show up in the JSON object. Only admin users will have an email value in the profile.json.

Is there a way to enable this functionality? I am well enough to edit and modify php code, I just need to know where to look.

Thanks all!

  • Davison

Comments

  • R_JR_J Ex-Fanboy Munich Admin

    Look here (as an example): https://open.vanillaforums.com/profile/edit
    Do you see the "Allow other members to see your email?" box? If that is checked, the mail address should be enclosed in the json. If not, it shouldn't. If your user does not allow publishing his mail address you shouldn't do it.

  • @R_J said:
    Look here (as an example): https://open.vanillaforums.com/profile/edit
    Do you see the "Allow other members to see your email?" box? If that is checked, the mail address should be enclosed in the json. If not, it shouldn't. If your user does not allow publishing his mail address you shouldn't do it.

    Thanks for your reply!

    Do you think there is a way to edit a core file or create a plugin that checks for this setting and returns an email address in JSON regardless of this setting? I would rather not force users to have to publish email addresses (or to enable that by default).

  • x00x00 MVP
    edited August 2017

    I think you need to understand the security principles behind SSO first, becuase if you have to ask this question you are doing it wrong and your SSO will be an attack vector.

    grep is your friend.

  • Do you want your forum to be the SSO authority, or do you wish to connect SSO to your forum?

    grep is your friend.

  • @x00 said:
    Do you want your forum to be the SSO authority, or do you wish to connect SSO to your forum?

    Originally, I was wishing to use the forum as the SSO authority but I could not find an example of what I was wanting to do. So, instead I created a custom application (outside of vanilla) that authenticates a user by requesting profile.json. My thoughts:

    • Profile.json is hardcoded in the application so it's not easily known that is the resource requested
    • Plans to make JSON file not accessible to the public with permissions
    • The JSON file should only have information about the current logged in user, else it returns not logged in

    The custom application checks the JSON file for a user name, userid, and email address. If these fields exist, it logs the user (or creates a new account) into the application. There is no password field and the user cannot manually log into the application without first logging into vanilla.

  • x00x00 MVP
    edited August 2017

    Although your forum is "trusted" you aren't doing this in a trusted way that wouldn't be vulnerable to fraudulent requests.

    The session exist on the client (there is no such thing as "logged in" HTTP is stateless, which why you have session cookies) you are then transmitting this the server without any background verification or authentication. You would not know where that information has been sent from, or be able trust the client.

    So you would have to either verify the authenticity of that client side connection has a genuine session, which a complicated multi-step process.

    Or you would need to first request a security token then use that to verify server to server, and the payload could be that information.

    These two applications would not share a session, it is merely used to create the session of you other application.

    grep is your friend.

  • DavisonYDavisonY New
    edited August 2017

    @x00 said:
    Although your forum is "trusted" you aren't doing this in a trusted way that wouldn't be vulnerable to fraudulent requests.

    The session exist on the client (there is no such thing as "logged in" HTTP is stateless, which why you have session cookies) you are then transmitting this the server without any background verification or authentication. You would not know where that information has been sent from, or be able trust the client.

    So you would have to either verify the authenticity of that client side connection has a genuine session, which a complicated multi-step process.

    Or you would need to first request a security token then use that to verify server to server, and the payload could be that information.

    These two applications would not share a session, it is merely used to create the session of you other application.

    Do you know of any out of the box solutions where vanilla forums is the master? I could easily implement my application into another CMS such as WordPress. In fact, that was the original idea until I ran into trouble with figuring out how to implement an SSO as Vanilla as the master and WP as the slave. I do need to think more about the security aspect and think this would be the safer route to go.

Sign In or Register to comment.