Check out Glinski's Hexagonal Chess, our featured variant for May, 2024.

Enter Your Reply

The Comment You're Replying To
🕸Fergus Duniho wrote on Thu, Nov 9, 2023 06:08 PM UTC in reply to Fergus Duniho from 05:05 PM:

As a second test, I created stingmovetest3, and on loading it into an editor, I saw that $author was set to my userid.

As a third test, I saved a modified copy as stingmovetest4 without a userid, and it allowed it.

As a fourth test, I modified it again and saved it with my userid. This time, my userid showed up as the value of $author.

As a fifth test, I modified stingmovetest2 and tried to save it without being signed in. This was not allowed, which is good, because it should not be allowed.

As a sixth test, I signed into a spare account I use for testing, and I tried saving a modified stingmovetest2. My modification went through, and $author is still set to the empty string.

So, it appears there is a security hole in Game Courier. It is possible to create a settings file with an empty Userid, and then anyone who is signed in can edit it. It was probably empty, because I updated the settings file before saving it, and updating it clears the Userid field from the form. Not noticing this, I apparently saved it with any empty value for $author, and not realizing it wasn't his own settings file, Adam edited it without entering his own userid.

I addressed this by filling in the $userid value from the SESSION variable when someone is already signed in. This stops someone from creating a settings file with an empty userid, but it does allow someone to steal a settings file that already has an empty value for $author.

Edit Form

Comment on the page Programming Piece Movement in Game Courier

Conduct Guidelines
This is a Chess variants website, not a general forum.
Please limit your comments to Chess variants or the operation of this site.
Keep this website a safe space for Chess variant hobbyists of all stripes.
Because we want people to feel comfortable here no matter what their political or religious beliefs might be, we ask you to avoid discussing politics, religion, or other controversial subjects here. No matter how passionately you feel about any of these subjects, just take it someplace else.
Quick Markdown Guide

By default, new comments may be entered as Markdown, simple markup syntax designed to be readable and not look like markup. Comments stored as Markdown will be converted to HTML by Parsedown before displaying them. This follows the Github Flavored Markdown Spec with support for Markdown Extra. For a good overview of Markdown in general, check out the Markdown Guide. Here is a quick comparison of some commonly used Markdown with the rendered result:

Top level header: <H1>

Block quote

Second paragraph in block quote

First Paragraph of response. Italics, bold, and bold italics.

Second Paragraph after blank line. Here is some HTML code mixed in with the Markdown, and here is the same <U>HTML code</U> enclosed by backticks.

Secondary Header: <H2>

  • Unordered list item
  • Second unordered list item
  • New unordered list
    • Nested list item

Third Level header <H3>

  1. An ordered list item.
  2. A second ordered list item with the same number.
  3. A third ordered list item.
Here is some preformatted text.
  This line begins with some indentation.
    This begins with even more indentation.
And this line has no indentation.

Alt text for a graphic image

A definition list
A list of terms, each with one or more definitions following it.
An HTML construct using the tags <DL>, <DT> and <DD>.
A term
Its definition after a colon.
A second definition.
A third definition.
Another term following a blank line
The definition of that term.