prevent "spoofing" sender's email address in tip a friend

Next topic

Author	Message
Herman Hardenbol	Thursday 09 February 2006 3:09:26 am I have the standard "Tip a friend" option turned on. In my intranet installation everybody needs to logon. How could I force users to use there own user name en user email as a sender and not changed the prefilled name and email? (in ezpublish 3.6.2) I am looking for a more secure solution than just making the HTML fields read only. Any small hint is more than welcome. Thanks a lot.
Martin Lekvall	Friday 10 February 2006 2:39:58 am Hi This is an idea, not tested. You might want to override the tipafriend-template and make the email and name-formfields hidden. The value of these fields are prefilled with address automagicaly if user is logged in, right? For usabillity i guess printing out that "tip will sent from John Doe (john@foo.bar)" or similar is a good idea. /martin EzP 3.5.0, OE 2.0 RH-EL3 2.4, mySql 4.1.7, php 4.3.9, apache 1.3.33
Herman Hardenbol	Sunday 12 February 2006 1:54:46 pm Thanks Martin. I was just about to hack the kernel, when I found that the kernel supplies the username and useremail for the logged in user account when name and email are not sent from the HTML form. In /templates/content/tipafriend.tpl I have removed the input fields for sender's name and sender's email and that's all!! I am happy. :-) Nice solution for my intranet environment where everybody needs to login and everybody has an email address.

Author

Message

Thursday 09 February 2006 3:09:26 am

I have the standard "Tip a friend" option turned on. In my intranet installation everybody needs to logon. How could I force users to use there own user name en user email as a sender and not changed the prefilled name and email? (in ezpublish 3.6.2)

I am looking for a more secure solution than just making the HTML fields read only.

Any small hint is more than welcome. Thanks a lot.

Martin Lekvall

Friday 10 February 2006 2:39:58 am

This is an idea, not tested.
You might want to override the tipafriend-template and make the email and name-formfields hidden. The value of these fields are prefilled with address automagicaly if user is logged in, right?

For usabillity i guess printing out that "tip will sent from John Doe (john@foo.bar)" or similar is a good idea.

/martin

EzP 3.5.0, OE 2.0
RH-EL3 2.4, mySql 4.1.7, php 4.3.9, apache 1.3.33

Herman Hardenbol

Sunday 12 February 2006 1:54:46 pm

Thanks Martin. I was just about to hack the kernel, when I found that the kernel supplies the username and useremail for the logged in user account when name and email are not sent from the HTML form.

In /templates/content/tipafriend.tpl I have removed the input fields for sender's name and sender's email and that's all!! I am happy. :-)

Nice solution for my intranet environment where everybody needs to login and everybody has an email address.

eZ debug

Timing:	Jan 18 2025 22:36:55
Script start
Timing:	Jan 18 2025 22:36:55
Module start 'layout'
Timing:	Jan 18 2025 22:36:55
Module start 'content'
Timing:	Jan 18 2025 22:36:56
Module end 'content'
Timing:	Jan 18 2025 22:36:56
Script end

Main resources:

Total runtime	1.5032 sec
Peak memory usage	4,096.0000 KB
Database Queries	57

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0057	588.1328	152.6406
Module start 'layout'	0.0057	0.0044	740.7734	39.4766
Module start 'content'	0.0102	1.4917	780.2500	495.5313
Module end 'content'	1.5019	0.0013	1,275.7813	8.1094
Script end	1.5032		1,283.8906

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0034	0.2231	16	0.0002
Check MTime	0.0015	0.0968	16	0.0001
Mysql Total
Database connection	0.0007	0.0476	1	0.0007
Mysqli_queries	1.4621	97.2639	57	0.0257
Looping result	0.0005	0.0341	55	0.0000
Template Total	1.4583	97.0	2	0.7292
Template load	0.0018	0.1213	2	0.0009
Template processing	1.4565	96.8907	2	0.7282
Template load and register function	0.0003	0.0190	1	0.0003
states
state_id_array	0.0025	0.1663	1	0.0025
state_identifier_array	0.0024	0.1602	2	0.0012
Override
Cache load	0.0015	0.0984	16	0.0001
Sytem overhead
Fetch class attribute can translate value	0.0006	0.0371	2	0.0003
Fetch class attribute name	0.0009	0.0618	3	0.0003
XML
Image XML parsing	0.0002	0.0161	2	0.0001
class_abstraction
Instantiating content class attribute	0.0000	0.0005	3	0.0000
General
dbfile	0.0006	0.0432	10	0.0001
String conversion	0.0000	0.0005	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
3	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
4	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
1	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 10 Number of unique templates used: 5

Time used to render debug report: 0.0001 secs