[Resolved] Changing user_id in url, is giving acces to edit another user details.

[Author]

Posts

[barbaraK]

Hi,
I created a user form for changing e-mail address, but I'm able to see and change e-mail address of another user when I just change user_id in url.
/account/?layout_id=71&user_id=7
/account/?layout_id=71&user_id=8
/account/?layout_id=71&user_id=9

[Minesh]

Hello. Thank you for contacting the Toolset support.

As I understand - you created Edit user form, correct? If yes, using what role you are editing the user form? How you setup the edit form?

Could you please send me debug information that will help us to investigate your issue.
=> https://toolset.com/faq/provide-debug-information-faster-support/

[barbaraK]

Yes, edit user form.
Role is author.
Look on my screen record here:
hidden link

[Minesh]

I would like to confirm here - do you want to list all users with Edit user form link or only user who is logged-in?

[barbaraK]

Only user who is logged-in.
This is "my account" changing e-mail form.
But if logged-in user with author role, can change e-mails of another author user just with change user_id in url, it mean that something is wrong.

[Minesh]

Can you please share problem URL and admin + author user (both) access deteails.

I have set the next reply to private which means only you and I have access to it.

[barbaraK]

It is on localhost now. I'll let you know when I put this online.

[Minesh]

ok fine. Please update us when you setup a test site.

I have set the next reply to private which means only you and I have access to it.