prevent "spoofing" sender's email address in tip a friend

Author Message

Herman Hardenbol

Thursday 09 February 2006 3:09:26 am

I have the standard "Tip a friend" option turned on. In my intranet installation everybody needs to logon. How could I force users to use there own user name en user email as a sender and not changed the prefilled name and email? (in ezpublish 3.6.2)

I am looking for a more secure solution than just making the HTML fields read only.

Any small hint is more than welcome. Thanks a lot.

Martin Lekvall

Friday 10 February 2006 2:39:58 am

Hi

This is an idea, not tested.
You might want to override the tipafriend-template and make the email and name-formfields hidden. The value of these fields are prefilled with address automagicaly if user is logged in, right?

For usabillity i guess printing out that "tip will sent from John Doe (john@foo.bar)" or similar is a good idea.

/martin

EzP 3.5.0, OE 2.0
RH-EL3 2.4, mySql 4.1.7, php 4.3.9, apache 1.3.33

Herman Hardenbol

Sunday 12 February 2006 1:54:46 pm

Thanks Martin. I was just about to hack the kernel, when I found that the kernel supplies the username and useremail for the logged in user account when name and email are not sent from the HTML form.

In /templates/content/tipafriend.tpl I have removed the input fields for sender's name and sender's email and that's all!! I am happy. :-)

Nice solution for my intranet environment where everybody needs to login and everybody has an email address.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.