Stop the user plugin accessing password or salt data.

pyrocms · Sep 17, 2012 · 182f6a1 · 182f6a1
1 parent 997f8c7
commit 182f6a1
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/system/cms/plugins/user.php b/system/cms/plugins/user.php
@@ -284,13 +284,14 @@ private function get_user_var($var, $user_id)
 		if(array_key_exists($var, $this->ion_auth_model->user_stream_fields))
 		{
 			$formatted_column = $this->row_m->format_column(
-												$var,
-												$user[$var],
-												$user['profile_id'],
-												$this->ion_auth_model->user_stream_fields->{$var}->field_type,
-												$this->ion_auth_model->user_stream_fields->{$var}->field_data,
-												$this->ion_auth_model->user_stream,
-												true);
+				$var,
+				$user[$var],
+				$user['profile_id'],
+				$this->ion_auth_model->user_stream_fields->{$var}->field_type,
+				$this->ion_auth_model->user_stream_fields->{$var}->field_data,
+				$this->ion_auth_model->user_stream,
+				true
+			);
 		}
 		else
 		{
@@ -323,8 +324,13 @@ private function get_user_var($var, $user_id)
 	 * @param	string
 	 * @return	string
 	 */
-	function __call($name, $data)
+	public function __call($name, $data)
 	{
+		if (in_array($name, array('password', 'salt')))
+		{
+			return;
+		}
+
 		$user_id = $this->attribute('user_id', null);
 
 		// If we do not have a user id and there is