Merge pull request #25045 from Hystepik/develop#2

Fix : user pages on empty $id

htdocs/user/agenda_extsites.php

@@ -52,6 +52,11 @@ $colorlist = array('BECEDD', 'DDBECE', 'BFDDBE', 'F598B4', 'F68654', 'CBF654', '
 
 // Security check
 $id = GETPOST('id', 'int');
+
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 $object = new User($db);
 $object->fetch($id, '', '', 1);
 $object->getrights();

htdocs/user/document.php

@@ -41,6 +41,10 @@ $id = (GETPOST('userid', 'int') ? GETPOST('userid', 'int') : GETPOST('id', 'int'
 $ref = GETPOST('ref', 'alpha');
 $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'userdoc'; // To manage different context of search
 
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 // Define value to know what current user can do on users
 $canadduser = (!empty($user->admin) || $user->hasRight("user", "user", "write"));
 $canreaduser = (!empty($user->admin) || $user->hasRight("user", "user", "read"));

htdocs/user/info.php

@@ -35,6 +35,10 @@ $langs->load("users");
 $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 $object = new User($db);
 if ($id > 0 || !empty($ref)) {
 	$result = $object->fetch($id, $ref, '', 1);

htdocs/user/note.php

@@ -33,6 +33,10 @@ $id = GETPOST('id', 'int');
 $action = GETPOST('action', 'aZ09');
 $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'usernote'; // To manage different context of search
 
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 // Load translation files required by page
 $langs->loadLangs(array('companies', 'members', 'bills', 'users'));
 

htdocs/user/notify/card.php

@@ -38,6 +38,10 @@ $langs->loadLangs(array('companies', 'mails', 'admin', 'other', 'errors'));
 $id = GETPOST("id", 'int');
 $ref = GETPOST('ref', 'alpha');
 
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 $action = GETPOST('action', 'aZ09');
 $actionid = GETPOST('actionid', 'int');
 

htdocs/user/param_ihm.php

@@ -39,6 +39,10 @@ $id = GETPOST('id', 'int');
 $action = GETPOST('action', 'aZ09');
 $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'userihm'; // To manage different context of search
 
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 if ($id) {
 	// $user est le user qui edite, $id est l'id de l'utilisateur edite
 	$caneditfield = ((($user->id == $id) && $user->hasRight("user", "self", "write"))