Child pages
  • [security] Ability to get all user's emails on Front-End [5.2.1-RC1]
Skip to end of metadata
Go to start of metadata

Advanced theme. Send Private message form. In the "To" field enter PortalUserId of the user (it may be guessed as integer starting on 1 and so on). After submit on the "To" field appears error, but in the "To" field value we can read PortalUserId-related user's e-mail now.

5 Comments

  1. Yes, this seems to be a bug, but directly related to the Advanced theme.

    I say we file it in Icebox and possible fix in 5.2.2 or 5.3.0.

    Anyone else?

  2. Ok. Not sure though if it's a bug in a particular form implementation in theme or with username input controls in general. Also with registration by e-mail enabled user must enter other user's e-mail to send him a private message (smile) In my opinion if user e-mail is already known to another user, then he can send direct e-mail to him and don't use our private messaging system.

    We need to discuss further and only create task, when we know what needs to be done.

  3. This is an issue when we use User Emails as Usernames, when we use Username as their are - it's not an issue, correct?

    I think it might just over complicate things if we going to add some sort of logic there for one or another cases...

    What do you think?

    1. Both cases (e-mail used for login OR usernames used for login) are absolutely valid. However fact, that we're allowing private messages to be sent by e-mail is just a side effect of fallback mechanism, where e-mail is used instead of missing username.

      Maybe we need to:

      1. force users to fill-in Username field in case if they want to send/receive a private messages
      2. don't fallback to e-mail, when username is missing and just consider user as not a valid private message recipient