// Can this user view profiles/memberlist?
if (!$auth->acl_gets('u_viewprofile', 'a_user', 'a_useradd', 'a_userdel'))
{
if ($user->data['user_id'] != ANONYMOUS)
{
send_status_line(403, 'Forbidden');
trigger_error('NO_VIEW_USERS');
}
login_box('', $user->lang['LOGIN_EXPLAIN_VIEWONLINE']);
}
// Can this user view profiles/memberlist?
// Edited: Guests/bots cannot view online-list, but everyone else can. No longer permission based.
if ($user->data['user_id'] == ANONYMOUS)
{
login_box('', $user->lang['LOGIN_EXPLAIN_VIEWONLINE']);
}
if ($user->data['is_bot'])
{
send_status_line(403, 'Forbidden');
trigger_error('NO_VIEW_USERS');
}
This hardcode removes the permissions basis on who can access viewonline and instead hardcodes that guests and bots cannot access it, regardless of the permission setting. I made this change to allow guests and bots to view groups and profiles in the ACP via the permissions system, while still blocking their ability to see the full who is online list.
Last edited by Dimetrodon on Sat Dec 24, 2022 11:33 pm, edited 1 time in total.
