[consulting] Restrict Group Access to one User Login Account

Greg Knaddison Greg at GrowingVentureSolutions.com
Thu Oct 8 15:53:52 UTC 2009


On Thu, Oct 8, 2009 at 9:46 AM, Brian Vuyk <brian at brianvuyk.com> wrote:
> Hacky, but...
>
> Hide the form elements on the user form for that user with hook_form_alter.
>

Sounds good.

> To stop the pesky bugger with Firebug, write a quick hook_user
> implementation to trigger on $op = 'update' to not allow the username,
> email, and password to be changed unless the logged in user making the
> change is an administrator.

The Form API protects against so-called semantic forgeries, unless the
site has some other way to edit users beside the main user form or has
an improper use of $_POST variables.  I suggest you try adding a form
field or a select option and see if it works - if it does, mail
security at drupal.org with the steps to repeat it because that's a
vulnerability.

Regards,
Greg

-- 
Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com
Cracking Drupal - Learn to protect your Drupal site from hackers
Now available from Wiley http://crackingdrupal.com


More information about the consulting mailing list