Issue status update for http://drupal.org/node/4166 Project: Drupal Version: cvs Component: user system Category: bug reports Priority: normal Assigned to: Anonymous Reported by: mic Updated by: killes@www.drop.org Status: patch Attachment: http://drupal.org/files/issues/user_access_bug_1.patch (11.45 KB) Ok, updated patch. Includes changes to format_name to only display unlinked username for non-privileddged users. 'acccess users' is now 'access user profiles'. The search users tab won't get displayed either if you are not allowed to seee user profiles. The patch got even tested. killes@www.drop.org Previous comments: ------------------------------------------------------------------------ November 17, 2003 - 06:23 : mic When anonymous visitors do not have "Access userlist" permission, they can still view all the public info in user profiles. Drupal sites that are created for a group of friends or for an organization want to protect their e-mail addresses, telephone numbers and so on, while making these accessible to fellow members. This could be a critical feature request, but since I think it's an error, I'm sending you this as bug. (I don't have CVS, so I'm hoping someone else will make the simple correction needed to the user module) ------------------------------------------------------------------------ February 3, 2004 - 05:41 : daBrado Attachment: http://drupal.org/files/issues/user-module-add-view-permission.patch (1.54 KB) I made a patch that fixed this by adding a new permission, "access users". This is everything this patch does: Add new permission, "access users" If a user does not have the "access users" permission, s/he cannot read another user's profile at all, and instead gets an "access denied" page. I hope I did this in the proper way. ------------------------------------------------------------------------ April 21, 2004 - 20:25 : Dries I think we should not introduce a new permission but merge with the existing 'access user list' permission (or rename it to 'access users'). Marking this "won't fix" until the patch has been udpated. ------------------------------------------------------------------------ May 28, 2004 - 02:26 : daBrado Attachment: http://drupal.org/files/issues/user-module-add-view-permission_0.patch (1.88 KB) Another patch, this time renaming the permission "access user list" to "access users", and adding a check in the user viewing function to only allow users with this permission to view the user information. ------------------------------------------------------------------------ July 5, 2004 - 15:31 : Anonymous Attachment: http://drupal.org/files/issues/user-module-add-view-permission_1.patch (1.86 KB) Here is a patch again, now for CVS. Does the same thing as above. It is a very simple patch. If it seems proper, I hope that can be included before it goes stale. ------------------------------------------------------------------------ July 9, 2004 - 02:08 : daBrado Attachment: http://drupal.org/files/issues/user-module-add-view-permission_2.patch (1.33 KB) The previous patch was accepted, but then for some reason reversed as part of another CVS commit. So, here is a new patch that brings back the "access users" permission. It controls whether or not a user may view other users info. ------------------------------------------------------------------------ September 22, 2004 - 16:53 : Bèr Kessels Attachment: http://drupal.org/files/issues/access_users_perm.patch (6.46 KB) A new and revised patch. It adds an "access users" permission ------------------------------------------------------------------------ September 22, 2004 - 18:02 : killes@www.drop.org I'd like to see this patch applied to cvs before the 4.5 release. Now that we can protect our nodes from unauthorized access it just makes sense to protect our user data as well. In the future I'd like to see scheme where the user (as in end-user) is able to selet which of his data gets published. ------------------------------------------------------------------------ September 23, 2004 - 01:52 : rkendall I would like this too ------------------------------------------------------------------------ October 14, 2004 - 23:46 : drumm Can the name be changed to 'view user profiles'? ------------------------------------------------------------------------ October 18, 2004 - 09:19 : Bèr Kessels It can, but I used "access" for consistancy. we have "access newsfeeds", "access comments", "access etc". This patch is critical for corporate sites btw. A corporate site that has its customers information lying on the streets (so to say) is not-done. Ber ------------------------------------------------------------------------ November 27, 2004 - 13:49 : killes@www.drop.org Attachment: http://drupal.org/files/issues/user-access.patch (5.96 KB) Updated for CVS. I assumed that "admin users" implies "access users" in user_admin. ------------------------------------------------------------------------ March 1, 2005 - 17:30 : killes@www.drop.org Does not apply anymore, Ber can you have a look at it? ------------------------------------------------------------------------ March 7, 2005 - 09:19 : Bèr Kessels Attachment: http://drupal.org/files/issues/user_access_0.patch (9.74 KB) New patch. Should apply to HEAD. ------------------------------------------------------------------------ April 7, 2005 - 21:29 : killes@www.drop.org It's a patch (which still applies and wants into core).