[#2913] Hidden profiles can be guessed and pulled via url

Hi Guys

My CB setup is such that profile owners can only visit the profiles of the other member of their organization.

Unfortunately, guessing usernames and inserting them into the url is enough to show up the profiles of people who are not in the same organization as the logged-in user.

/my-profile/userprofile/user_name

of course the tabs can be hidden via the privacy plugin, but still, this is a show-stopper for me.

Is there a way around this? Is there a way to hide or obfuscate the url? (as is the case for the user lists)

Thanks

John

Of course without some sort of PHP (server side) code to protect the profiles from unauthorized access they'll be able to see the profiles. You could use incubator project CB Auto Actions (requires professional subscription) with a redirect action on the after profile display trigger checking the organization field matches and if not redirect.

For some reason you gave me access to the incubator in the past... I just installed the plugin in my test site and it seems perfect for the job. but I do not know if I can use it and I am desperately broke, (I am not paid for this job).

Also, I am incapable of figuring what to enter in the two fields: one for the organization field of the profile and the other for the organization field of the logged-in user.

Can you help me with any of this...



Thanks

For some reason you gave me access to the incubator in the past... I just installed the plugin in my test site and it seems perfect for the job. but I do not know if I can use it and I am desperately broke, (I am not paid for this job).

Users who subscribed before the introduction of incubator were given access to the incubator as part of their advanced subscription. This access will end when you renew as you'd need to upgrade to professional. So no worries until renewal.

Also, I am incapable of figuring what to enter in the two fields: one for the organization field of the profile and the other for the organization field of the logged-in user.

The conditions are substitution supported so you could do [cb_field] Equal To [cb_field2] for example.

Thanks a lot Kyle,

what I am trying to compare here is the [cb_field] of the profile that is about to be displayed to the same [cb_field] in the profile of the logged-in user (to determined if the logged-in user is entitled to see the profile).

thanks

John

Ah I see, you'll need a more advanced substitution then. Please try the below.

[cb:userdata field="FIELD_NAME" user="#displayed" /]
Equal To
[cb:userdata field="FIELD_NAME" user="#me" /]

Please note this only will work on users profiles as #displayed is determined using the &user= parameter in the URL. To avoid issues on your own profile you may want to use #displayedOrMe instead of #displayed.