[drupal-devel] [bug] User info should not be visible without permission

killes drupal-devel at drupal.org
Fri Apr 8 17:10:55 UTC 2005


Issue status update for http://drupal.org/node/4166

 Project:      Drupal
 Version:      cvs
 Component:    user system
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  mic
 Updated by:   killes at www.drop.org
 Status:       patch
 Attachment:   http://drupal.org/files/issues/user_access_bug_1.patch (11.45 KB)

Ok, updated patch. Includes changes to format_name to only display
unlinked username for non-privileddged users. 'acccess users' is now
'access user profiles'. The search users tab won't get displayed either
if you are not allowed to seee user profiles. The patch got even tested.


killes at www.drop.org



Previous comments:
------------------------------------------------------------------------

November 17, 2003 - 06:23 : mic

When anonymous visitors do not have "Access userlist" permission, they
can still view all the public info in user profiles.
Drupal sites that are created for a group of friends or for an
organization want to protect their e-mail addresses, telephone numbers
and so on, while making these accessible to fellow members.
This could be a critical feature request, but since I think it's an
error, I'm sending you this as bug.
(I don't have CVS, so I'm hoping someone else will make the simple
correction needed to the user module)


------------------------------------------------------------------------

February 3, 2004 - 05:41 : daBrado

Attachment: http://drupal.org/files/issues/user-module-add-view-permission.patch (1.54 KB)

I made a patch that fixed this by adding a new permission, "access
users".
This is everything this patch does:

Add new permission, "access users"
If a user does not have the "access users" permission, s/he cannot read
another user's profile at all, and instead gets an "access denied" page.

I hope I did this in the proper way.


------------------------------------------------------------------------

April 21, 2004 - 20:25 : Dries

I think we should not introduce a new permission but merge with the
existing 'access user list' permission (or rename it to 'access
users').  Marking this "won't fix" until the patch has been udpated.


------------------------------------------------------------------------

May 28, 2004 - 02:26 : daBrado

Attachment: http://drupal.org/files/issues/user-module-add-view-permission_0.patch (1.88 KB)

Another patch, this time renaming the permission "access user list" to
"access users", and adding a check in the user viewing function to only
allow users with this permission to view the user information.


------------------------------------------------------------------------

July 5, 2004 - 15:31 : Anonymous

Attachment: http://drupal.org/files/issues/user-module-add-view-permission_1.patch (1.86 KB)

Here is a patch again, now for CVS.  Does the same thing as above.
It is a very simple patch.  If it seems proper, I hope that can be
included before it goes stale.


------------------------------------------------------------------------

July 9, 2004 - 02:08 : daBrado

Attachment: http://drupal.org/files/issues/user-module-add-view-permission_2.patch (1.33 KB)

The previous patch was accepted, but then for some reason reversed as
part of another CVS commit.
So, here is a new patch that brings back the "access users" permission.
 It controls whether or not a user may view other users info.


------------------------------------------------------------------------

September 22, 2004 - 16:53 : Bèr Kessels

Attachment: http://drupal.org/files/issues/access_users_perm.patch (6.46 KB)

A new and revised patch.
It adds an "access users" permission


------------------------------------------------------------------------

September 22, 2004 - 18:02 : killes at www.drop.org

I'd like to see this patch applied to cvs before the 4.5 release. Now
that we can protect our nodes from unauthorized access it just makes
sense to protect our user data as well. In the future I'd like to see
scheme where the user (as in end-user) is able to selet which of his
data gets published.


------------------------------------------------------------------------

September 23, 2004 - 01:52 : rkendall

I would like this too


------------------------------------------------------------------------

October 14, 2004 - 23:46 : drumm

Can the name be changed to 'view user profiles'?


------------------------------------------------------------------------

October 18, 2004 - 09:19 : Bèr Kessels

It can, but I used "access" for consistancy. we have "access newsfeeds",
"access comments", "access etc".
This patch is critical for corporate sites btw. A corporate site that
has its customers information lying on the streets (so to say) is
not-done.
Ber


------------------------------------------------------------------------

November 27, 2004 - 13:49 : killes at www.drop.org

Attachment: http://drupal.org/files/issues/user-access.patch (5.96 KB)

Updated for CVS. I assumed that "admin users" implies "access users" in
user_admin.


------------------------------------------------------------------------

March 1, 2005 - 17:30 : killes at www.drop.org

Does not apply anymore, Ber can you have a look at it?


------------------------------------------------------------------------

March 7, 2005 - 09:19 : Bèr Kessels

Attachment: http://drupal.org/files/issues/user_access_0.patch (9.74 KB)

New patch. Should apply to HEAD.


------------------------------------------------------------------------

April 7, 2005 - 21:29 : killes at www.drop.org

It's a patch (which still applies and wants into core).





More information about the drupal-devel mailing list