Fixed Members Can Set or Use Disabled/Hidden Style

Alteran Ancient

Well-known member
Quite a simple one, but the insistence of a few of my members to be able to use styles I've not permitted them to select is starting to get to me.

Users can do two things:
1. Users can open the style selector and then replace the Style ID in the URL to change the selected Style ID stored in their profile. So long as the xf_token is in the URL, the selection saves, but only the default style will be displayed. This is annoying, because my user's selected styles appear in their postbit.

2. Users can load a simple userscript to replace the style ID in the "css.php" stylesheet declaration. The css.php file returns the correct CSS values, even if the style is hidden/disabled and even if the user is not an administrator. This allows the user to actually "see" and "use" the disabled style.

I'd rather that members not be able to do either of these things, because if I have a style disabled, I usually have it disabled for a good reason.

I'd like to be able to prevent both scenarios, if possible.
 
Part of 1 is a bug - it probably shouldn't be saving it, but that's about it. As long as it doesn't display the style if they did manage to select it, then that's ok.

2 is totally as designed and is rather important. Styles (and languages) are not considered private and user selectability really just guidance to prevent users from selecting it on every page (such as for forum-specific styles). If a style isn't in use, I'd recommend just removing it... though I do wonder why you're taking away something from your users that they seem to be clamoring for?
 
Top Bottom