Registered user changing login name to a naughty word!!

Moderators: mandville, PhilD, General Support Moderators

Post Reply
theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Wed Nov 09, 2011 6:30 pm

Registered user changing login name to a naughty word!!

Post by theteacher999 » Wed Apr 04, 2018 12:56 pm

I run a website where all students at a school are given one general login and password for everyone to use.

One clever student has worked out that after logging in, they can then type the following in the URL:

<domain-name>/index.php?option=com_users&view=profile&layout=edit

then change the name and submit it! They are changing the username to naughty words!!

So far, I've gone to Users -> Options and made sure that the 'Change name' option was set to 'No' but sadly, this has not stopped the problem. I've also checked that the 'Show Profile link' is set to No in the Login module.

So, peeps - how do I prevent the clever scrotum from doing this, please? :D

Thanks

theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Wed Nov 09, 2011 6:30 pm

Re: Registered user changing login name to a naughty word!!

Post by theteacher999 » Thu Apr 05, 2018 12:23 pm

Could we move this back to the original forum, please, where there is a chance someone may read it? Thanks.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14721
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Registered user changing login name to a naughty word!!

Post by mandville » Thu Apr 05, 2018 12:39 pm

It is in the correct forum.
You want to try and control the access to a user profile edit for a user that has multiple people using it.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Registered user changing login name to a naughty word!!

Post by rcarey » Wed Apr 11, 2018 12:41 am

He may be clever enought to know how to get to the edit screen, but you have the ability to override that screen and insert code that will preclude him from using that form. (and if you are clever enought, you could catch that field in the foreach loop and change that field to readonly.)

I gave a quick look at the code producing the form, and I don't think (out-of-the-box) there is a permission you can set to prevent someone from editing the name field on that form. So I suggest the override approach so that you can add the logic you want.

If you don't want them changing anything, even updating the password... override the file /components/com_users/views/profile/tmpl/edit.php , and at the top of that file add a check of the user's group membership. If the user is not an admin or super (or whatever your criteria is), print a nice message and "return" or "exit()," or redirect to the home page. That way, no matter what clever way the students find to reach that page, that page will not render for them.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Wed Nov 09, 2011 6:30 pm

Re: Registered user changing login name to a naughty word!!

Post by theteacher999 » Sat May 12, 2018 11:40 am

Thanks for the great reply and the information. I've only just returned to this problem so apologies for the delay.

I thought in the Users area in Admin, Options - User Options, setting 'Change username' to 'No' would stop the user changing their username? Obviously not, but I wonder what it is used for then?

Unfortunately, I really don't have the knowledge to confidently do this without thinking I could be messing something else up. I can't be the first person to have had this issue. I wonder if some kind person help me here, and provide some code that:

overrides the file /components/com_users/views/profile/tmpl/edit.php, which checks a user's group membership. If the user is not an admin, redirect them to the home page so they cannot make any changes.

theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Wed Nov 09, 2011 6:30 pm

Re: Registered user changing login name to a naughty word!!

Post by theteacher999 » Sat May 12, 2018 1:29 pm

If I just deleted the edit.php file, would that do the trick? Is there anything else that might be affected by doing this?

How do you redirect to a URL (my homepage) in php? I'm also thinking if I have code at the very top of the edit.php file that immediately redirects the user to the homepage (regardless of what group they are in), that might do the trick.

I don't really mind if no one can change their user login account from the frontend, as long as I can do it in the backend as Admin.

All thoughts greatly appreciated.

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Registered user changing login name to a naughty word!!

Post by rcarey » Sat May 12, 2018 2:31 pm

I suspect than an upgrade of Joomla will restore that edit file you deleted. So it seems better to override it than delete it.

First, to know for yourself you have the new behavior coded correctly, you should test the scenario that you want to change so that you can see the old behavior. Then after the code change you can try again to confirm that the change is working. This is an important pattern when testing.

To reach the screen when one can change one's profile info, append this to the base url of your site:

Code: Select all

?option=com_users&view=profile&layout=edit
for example: mydomain.com/?option=com_users&view=profile&layout=edit ...You will need to login and then click a button to edit your profile. The goal at this step is to reach that edit screen - to see where the mischief is probably occurring.

Then, copy this file from your Joomla install:

Code: Select all

/components/com_users/views/profile/tmpl/edit.php
and place the copy here:

Code: Select all

/templates/{my-template}/html/com_users/profile/edit.php
where {my-template} is the name of your template.
Open that copy for editing and near the top you can add this line of code to redirect to the home page:

Code: Select all

JFactory::getApplication()->redirect(JUri::root());
Now visit that edit screen on the site's frontend and the page should always redirect to your home page. Further, any URL used to reach this edit form will still go through this overriding file and enforce your thwarting behavior.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Wed Nov 09, 2011 6:30 pm

What is 'Change username' used for?

Post by theteacher999 » Sun May 13, 2018 11:07 am

When logged in as Admin, Manage Users, Options - User Options, I have the 'Change username' setting set to 'No'. I thought this would stop a user changing their username - seems reasonable?

Why is it possible for a User to still change their Username, even though 'Change username' is set to 'No', please? Have I misunderstood its use? What am I missing?

Thanks
Last edited by toivo on Sun May 13, 2018 1:32 pm, edited 1 time in total.
Reason: mod note: merged with the previous topic - please keep the issues and actions in one topic

User avatar
toivo
Joomla! Exemplar
Joomla! Exemplar
Posts: 9927
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK
Contact:

Re: Registered user changing login name to a naughty word!!

Post by toivo » Sun May 13, 2018 1:48 pm

theteacher999 wrote:One clever student has worked out that after logging in, they can then type the following in the URL:

<domain-name>/index.php?option=com_users&view=profile&layout=edit

then change the name and submit it!
theteacher999 wrote:I have the 'Change username' setting set to 'No'.
This option protects only the field 'Username' from being modified through the profile. It does not stop the users from editing the field 'Name', which must have happened in your situation, because otherwise the rest of the students would not have been able to log in with their shared credentials.
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
troubleshooting smtp and other articles https://talikka.com/joomla

theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Wed Nov 09, 2011 6:30 pm

Re: Registered user changing login name to a naughty word!!

Post by theteacher999 » Tue May 15, 2018 4:24 pm

Thanks for the info.

To rcarey: thanks for your reply and response. The solution provided seems to be working a treat! Hopefully, problem solved!!

Many many thanks


Post Reply

Return to “Access Control List (ACL) in Joomla! 3.x”