Forums / General / prevent "spoofing" sender's email address in tip a friend
Herman Hardenbol
Thursday 09 February 2006 3:09:26 am
I have the standard "Tip a friend" option turned on. In my intranet installation everybody needs to logon. How could I force users to use there own user name en user email as a sender and not changed the prefilled name and email? (in ezpublish 3.6.2)
I am looking for a more secure solution than just making the HTML fields read only.
Any small hint is more than welcome. Thanks a lot.
Martin Lekvall
Friday 10 February 2006 2:39:58 am
Hi
This is an idea, not tested.You might want to override the tipafriend-template and make the email and name-formfields hidden. The value of these fields are prefilled with address automagicaly if user is logged in, right?
For usabillity i guess printing out that "tip will sent from John Doe (john@foo.bar)" or similar is a good idea.
/martin
EzP 3.5.0, OE 2.0 RH-EL3 2.4, mySql 4.1.7, php 4.3.9, apache 1.3.33
Sunday 12 February 2006 1:54:46 pm
Thanks Martin. I was just about to hack the kernel, when I found that the kernel supplies the username and useremail for the logged in user account when name and email are not sent from the HTML form.
In /templates/content/tipafriend.tpl I have removed the input fields for sender's name and sender's email and that's all!! I am happy. :-)
Nice solution for my intranet environment where everybody needs to login and everybody has an email address.
Script start
Module start 'content'
Module end 'content'
Script end
Time used to render debug report: 0.0001 secs