Hello,
following hack on this thread:
http://www.dotproject.net/vbulletin/showthread.php?t=2354

I allowed guest users to browse my dotProject installation.
However how can I prevent them to click on "My info" and change guest preferences, or even worster to change password of the guest user ???

cheers,
Sylvaticus

You can simply remove that link from the header. The file you're looking for is:

/style/default/header.php and it's somewhere around line 95.

This will remove the link from everyone though, so you might want to see if you can remove it just for that user.

hi.. I would rather place a big "if" based on the logged username="guest" on the admin module.. you know.. I am quite surpriced by your answer..
..what u suggested surelly works, but it is REALLY a big security hole.. it's enough to go on that link trough the address bar to bypass it! (or even just change style!).

ok.. I have add:
if ($AppUI->user_id == 3) {
$AppUI->redirect( "m=public&a=access_denied" );
}
on system/addeditpref.php and admin/addedituser and it seems to works.. I would have prefer to add the username rather than the user_id, but it's fine anyhow..

hi.. I would rather place a big "if" based on the logged username="guest" on the admin module.. you know.. I am quite surpriced by your answer..
..what u suggested surelly works, but it is REALLY a big security hole.. it's enough to go on that link trough the address bar to bypass it! (or even just change style!).

It's a security hole that a user should be able to change their own password?

I think you're a bit off. If you *really* wanted to ensure safe usage, you would assign each user a unique username/password. Then they could change it all they wanted. The way you have it configured now, if you screw up your permissions and someone makes a change, you'll never know who did what.