Restrict access to profile pages

Userlist isn't possible without a mod I believe.

Following instructions from the previous post I added this code to profile.php

if ($pun_user['is_guest'])
{
    require '../common/headerlite.php';
    echo '<meta content="5; URL = http://mywebsite.com/forum/login.php" http-equiv="Refresh" />';
    echo '<div class="leftbar"></div><div class="midbar"><p>You must be logged in to view member profiles.</p></div>';
    include     '../common/footer.php';
    die();
}

It works. Profiles are only accessible if you're logged in.

But that creates a huge problem when a user forgets his password and lets the system send a new password. The activation link looks something like this:

...forum/profile.php?id=11&action=change_pass&key=IJGix8Sy

But profile.php no longer allows access to users that aren't logged in. And I guess this modification even makes it impossible for new users to sign up and activate.

Is there a way to restrict access to just the "user profile" in profile.php, but leave elements needed for activation open? Is there a way to seperate these conflicting functionalities within profile.php.

MattF, thanks, but I don't get your reply. It's basically the same code I already had, isn't it? Yours is more standard PunBB. In my customization I bypass the language file system where I can because I only use English. The language system is confusing to me.

What does this bit of code do?

&& $action != 'change_pass'

Does it exclude the change_pass action from the no-view-for-guests restriction? To me as a non-PHP coder it looks like it specifically closes change_pass to guests, which would be the opposite of what I want.

Is change_pass the only action in profile.php I should leave open for users that aren't logged in? How about activation for new users?

Thanks MattF, I'll try this. :-)

I don't have a clear picture what other necessary actions there are in profile.php and how to add them to the exclusion. What would the syntax be? For a non-coder it's hard to guess or google.

There is a simpler solution: just don't write the userlist-link anymore for guests, i.e. in the function generate_navlinks() in functions.php replace

$links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';

by

if (!$pun_user['is_guest'])  {
$links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';
}

Furthermore I also removed the link to the profile of the newest user by removing

<dd><?php echo $lang_index['Newest user'] ?>: <a href="profile.php?id=<?php echo $stats['last_user']['id'] ?>"><?php echo pun_htmlspecialchars($stats['last_user']['username']) ?></a></dd>

from index.php (I also removed the corresponding database query somewhat above that line).

Thomas

Yes, that's obviously true, but actually preventing access to the userlist and profiles for guests is probably not the problem here. I for instance was primarily concerned about reducing the number of entry points for search engines and other spiders into the forum in order to reduce the amount of unnecessary traffic. And links are realistically the only way of getting into the forum. So with no links to the userlist or any profile on the index page, the only way to any topics is over the forum links (I have even forbidden the 'last post' links for the major search engines with a corresponding rewrite directive in an .htaccess files (which rejects requests with 'pid' in the query string)).
Besides, I have renamed some pages throughout (including userlist.php), in order to evade any attempts of looking for certain pages in the first place.

Thomas