Fix /users/0

The website API now reports userid '0' as an unregistered user. Apparently PHP treats the string '0' as falsy. In the interests of not overhauling literally all our APIs, I've decided to only change the code in the website API. The rest doesn't need to be changed because number-only userids haven't been allowed for a very long time. Fixes smogon/pokemon-showdown#7704
DylanSp · Nov 18, 2020 · 4df93cd · 4df93cd
1 parent 4f05461
commit 4df93cd
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/lib/ntbb-session.lib.php b/lib/ntbb-session.lib.php
@@ -404,6 +404,7 @@ function validatePasswordResetToken($token) {
 	function getUser($userid=false) {
 		global $psdb, $curuser;
 
+		if ($userid === '0') return false;
 		if (is_array($userid)) $userid = $userid['userid'];
 		$userid = $this->userid($userid);
 		if (!$userid ||

diff --git a/website/users.php b/website/users.php
@@ -84,10 +84,14 @@
 	'gen1ou' => '[Gen 1] OU',
 );
 
-if (@$_REQUEST['user']) {
-	$userid = $users->userid(@$_REQUEST['user']);
-
-	if (!$userid) {
+if (isset($_REQUEST['user']) && strlen($_REQUEST['user'])) {
+	$userid = $users->userid($_REQUEST['user']);
+	// 0 is falsy
+	// I'm hardcoding here to fix a crash, but the rest of the system
+	// should continue to reject 0 as a valid userid
+	if ($_REQUEST['user'] === '0') $userid = '0';
+
+	if (!strlen($userid)) {
 		header('HTTP/1.1 404 Not Found');
 		die("Invalid userid");
 	}
@@ -113,7 +117,7 @@
 }
 
 if ($authLevel >= 3) {
-	file_put_contents(__DIR__ . '/../config/altaccesslog.txt', "{$curuser['username']} - $userid\n", FILE_APPEND);
+	//file_put_contents(__DIR__ . '/../config/altaccesslog.txt', "{$curuser['username']} - $userid\n", FILE_APPEND);
 }
 
 if (isset($_REQUEST['json'])) {