Bug: s2member_profile=1

Hi gang,

When profile modification has been disabled, anyone can use Firebug to find some of the scripts and functions behind s2member.

A user therefore can easily change the URL – after logging in – to example.com/?s2member_profile=1 and change the details of their profile.

Logging in to this forum allows the same functionality, since it also uses s2member.

In other words, once one logs in here you can change the URL from http://www.s2member.com/profile/ to http://www.s2member.com/?s2member_profile=1 and you will see your account details there.

I believe this should be disallowed for all installs that do not allow profile modifications.

Please advise.

Thank you.

Bran

Thanks for the report, Bran.

Right, the form should not be shown if profile modifications aren’t allowed. Did you try saving profile changes and actually succeeded too?

Were you logged in to your administrator account when you tried what you’re reporting or were you using a normal user account to test?

Cristian,

I was logged in as a level 1 user.

In my world, the only capabilities applied to this role are:

* access_s2member_level1
* access_s2member_level0
* read

Profile modifications are disallowed in my setup.

I only tried this as a test and the modifications form came up.

All s2member registration fields were not editable (that’s how I set up my forms).

However, the following fields are:

* Email address
* First name
* Last name
* Display name
* Password

I tested editing by changing the last name and it successfully saved the new entry.

I realize these are default WP fields but I feel that they should not be accessed, either.

Under s2member > General Options > Member Profile Modifications I have the “Redirect Members away from the Default Profile Panel? ” setting set as “Yes”.

If you log in as a s2member levelX user you can use Firebug to see all the data loaded in the DOM by s2member. One line, among all the other lines with tons of individual and plugin-specific s2member data, is:

S2MEMBER_CURRENT_USER_PROFILE_MODIFICATION_PAGE_URL “https://www.xxxxxxxxxxxxxx.com/?s2member_profile=1”

So someone could easily find that and access this page…………..

Does that help?

Bran

Thanks for the heads up on this thread.

I’m sorry if there has been any confusion about this. There’s currently NO feature in s2Member that would absolutely stop a User/Member from updating their own Profile (i.e. Username/Password/Email Address). However, you do have control over which Custom Registration/Profile Fields can be edited, and which CANNOT be.

If you create your own Custom Registration/Profile Fields, these can be configured to disallow Profile edits, under: Dashboard -› s2Member® -› General Options -› Registration/Profile Fields. Open each field’s configuration window for details regarding this configuration option.

Under s2member > General Options > Member Profile Modifications I have the “Redirect Members away from the Default Profile Panel? ” setting set as “Yes”.

The feature that you’re referring to, is designed to prevent the /wp-admin/profile/ panel from being used, in cases where you’d rather Users/Members stay on the front-end of your site instead (i.e. NOT allowing /wp-admin/profile/ access, to the WordPress default profile editing panel). However, this is NOT to say that s2Member is going to disallow any sort of profile update whatsoever. It’s only preventing profile updates from occurring through the /wp-admin/profile/ panel.

If you’d like to take this a step further, and lock down s2Member’s stand-alone Profile editing panel as well, you could add this action hook to your site, which accomplishes just that.

Please create this directory and file:
/wp-content/mu-plugins/s2-hacks.php
( these are MUST USE plugins, see: http://codex.wordpress.org/Must_Use_Plugins )

<?php
add_action('init', 'prevent_s2_profile_updates', 1);
function prevent_s2_profile_updates()
	{
		unset($_GET&#91;'s2member_profile'&#93;, $_POST&#91;'ws_plugin__s2member_profile_save'&#93;);
	}
?>

Jason,

Super thanks for the hack.

I tried it out and it works!

Thank you again!

Bran