As a second test, I created stingmovetest3, and on loading it into an editor, I saw that $author was set to my userid.
As a third test, I saved a modified copy as stingmovetest4 without a userid, and it allowed it.
As a fourth test, I modified it again and saved it with my userid. This time, my userid showed up as the value of $author.
As a fifth test, I modified stingmovetest2 and tried to save it without being signed in. This was not allowed, which is good, because it should not be allowed.
As a sixth test, I signed into a spare account I use for testing, and I tried saving a modified stingmovetest2. My modification went through, and $author is still set to the empty string.
So, it appears there is a security hole in Game Courier. It is possible to create a settings file with an empty Userid, and then anyone who is signed in can edit it. It was probably empty, because I updated the settings file before saving it, and updating it clears the Userid field from the form. Not noticing this, I apparently saved it with any empty value for $author, and not realizing it wasn't his own settings file, Adam edited it without entering his own userid.
I addressed this by filling in the $userid value from the SESSION variable when someone is already signed in. This stops someone from creating a settings file with an empty userid, but it does allow someone to steal a settings file that already has an empty value for $author.
As a second test, I created stingmovetest3, and on loading it into an editor, I saw that $author was set to my userid.
As a third test, I saved a modified copy as stingmovetest4 without a userid, and it allowed it.
As a fourth test, I modified it again and saved it with my userid. This time, my userid showed up as the value of $author.
As a fifth test, I modified stingmovetest2 and tried to save it without being signed in. This was not allowed, which is good, because it should not be allowed.
As a sixth test, I signed into a spare account I use for testing, and I tried saving a modified stingmovetest2. My modification went through, and $author is still set to the empty string.
So, it appears there is a security hole in Game Courier. It is possible to create a settings file with an empty Userid, and then anyone who is signed in can edit it. It was probably empty, because I updated the settings file before saving it, and updating it clears the Userid field from the form. Not noticing this, I apparently saved it with any empty value for $author, and not realizing it wasn't his own settings file, Adam edited it without entering his own userid.
I addressed this by filling in the $userid value from the SESSION variable when someone is already signed in. This stops someone from creating a settings file with an empty userid, but it does allow someone to steal a settings file that already has an empty value for $author.