Empty or incorrect profile’s URL shows admin’s profile

  • Resolved johnwandler

    (@johnwandler)


    5 months, 1 week ago

    Basically title.

    [protocol]://[domain]/[profile_prefix_url]/[profile_name]

    • [protocol] – http / https
    • [domain] – your domain’s name
    • [profile_prefix_url] – your profile’s page name, e.g. “profil” / “profile” / “authors” / whatever your configuration is
    • [profile_name] – actual, random or empty profile’s name

    e.g. let’s say our RANDOM / INCORRECT or EMPTY profile’s url is:

    • //yourwebsite.com/profile/random_non-existing_profile_name – it’ll display ADMIN’s profie
    • //yourwebsite.com/profile/existing_profile_name – it’ll display correctly typed profile
    • //yourwebsite.com/profile/ – it’ll for some reason also display ADMIN’s profile

    I can understand that being logged in and clicking “profile” link, it’ll redirect to your actual profile, but even after logging in and typing random/incorrect profile names you can achieve same results.

    If you are not logged in and type //yourwebsite.com/profile/ (without typing any name) you’ll see ADMIN’s profile.

    I think that i have to use functions.php to block / prevent access, but come on, it’s basic functionality. You shouldn’t be able to do that!

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.