It would also make it easier for people to force random users to use other themes etc.
If you're just doing this on a test/localhost site, edit usercp.php, find:
if($mybb->input['action'] == "do_options" && $mybb->request_method == "post")
{
// Verify incoming POST request
verify_post_check($mybb->input['my_post_key']);
replace with
if($mybb->input['action'] == "do_options")
{
Note, don't use this on a live website.
Should be able to use something like:
usercp.php?action=do_options&uid=1&style=1
Well if you were to implement this then it should be separate from other option and restricted to just you.
The simplest way I can think of is for logged in users to check the uid to make sure it's only for their own uid.
(2009-12-14, 03:56 AM)Zash Wrote: [ -> ]Well if you were to implement this then it should be separate from other option and restricted to just you.
The simplest way I can think of is for logged in users to check the uid to make sure it's only for their own uid.
That's not the issue. You're removing CSRF checks here. It doesn't matter if the uid matches or not.