Hi all -

I have two users on our system who have managed to bypass the allow custom avatar option (currently disabled) on the user CP as follows. Here is a quote from one of the guys:



I saved the edit avatar page, and went through the html. wasnt going to help me because each avatar has an id number. Then it hit me. If i was to register for another forum that allows custom avatars, then maybe i could cut 'n' paste the bit of code at the bottom of the page (that allows you to set the custom avatar path)

i then popped this into the html page from the boards.ie avatar page that i had saved. put in the address for my custom avatar and hit go! it worked.


Any ideas - as a stopgap I will need to disable the customavatar table.

John.
--

Yeah this is a bug.

Line 954, member.php, the users' posts is checked against the number the admin sets for use of custom avatars but the other options (avatarallowupload and avatarallowwebsite) are never checked on that page meaning if the user has circumvented the initial page (like yours did) they can very simply circumvent this as if you don't allow custom avatars, the chance is very slim that you have adjusted avatarcustomposts from its' default of 0.

Moving...

How can I disable the customavatar table then (at least nothing will be written to it)?

[Later...]

I suppose I can just comment out the two update and insert into customavatar lines around 1050-1060 of member.php.

John.
--

A much easier way would be to set the minimum post requirement at 1000000 (1 million) which would effectively turn it off completely, even with this bug present.