Issue status update for http://drupal.org/node/27949 Post a follow up: http://drupal.org/project/comments/add/27949 Project: Drupal Version: cvs Component: profile.module Category: bug reports Priority: normal Assigned to: robertDouglass Reported by: robertDouglass Updated by: robertDouglass Status: patch (code needs review) Attachment: http://drupal.org/files/issues/profile_fix_acces_control_in_theme.txt (2.36 KB) The two theme functions in profile.module both violate good theming practice by running user control logic in the middle of them. Worse yet, this isn't immediately visible since it happens in yet another function. Thus themers overriding these functions to style profile pages[1] inadvertently break access control, thus leading to the misperception that overriding theme functions is inherently dangerous[2]. [1] http://drupal.org/node/16011 [2] http://drupal.org/node/16821 robertDouglass