[drupal-devel] [bug] User info should not be visible without
permission
killes
drupal-devel at drupal.org
Mon Apr 11 23:11:18 UTC 2005
Issue status update for http://drupal.org/node/4166
Project: Drupal
Version: cvs
Component: user system
Category: bug reports
Priority: normal
Assigned to: killes at www.drop.org
Reported by: mic
Updated by: killes at www.drop.org
Status: patch
Attachment: http://drupal.org/files/issues/user-db_0.patch (2.45 KB)
killes at www.drop.org
Previous comments:
------------------------------------------------------------------------
November 17, 2003 - 06:23 : mic
When anonymous visitors do not have "Access userlist" permission, they
can still view all the public info in user profiles.
Drupal sites that are created for a group of friends or for an
organization want to protect their e-mail addresses, telephone numbers
and so on, while making these accessible to fellow members.
This could be a critical feature request, but since I think it's an
error, I'm sending you this as bug.
(I don't have CVS, so I'm hoping someone else will make the simple
correction needed to the user module)
------------------------------------------------------------------------
February 3, 2004 - 05:41 : daBrado
Attachment: http://drupal.org/files/issues/user-module-add-view-permission.patch (1.54 KB)
I made a patch that fixed this by adding a new permission, "access
users".
This is everything this patch does:
Add new permission, "access users"
If a user does not have the "access users" permission, s/he cannot read
another user's profile at all, and instead gets an "access denied" page.
I hope I did this in the proper way.
------------------------------------------------------------------------
April 21, 2004 - 20:25 : Dries
I think we should not introduce a new permission but merge with the
existing 'access user list' permission (or rename it to 'access
users'). Marking this "won't fix" until the patch has been udpated.
------------------------------------------------------------------------
May 28, 2004 - 02:26 : daBrado
Attachment: http://drupal.org/files/issues/user-module-add-view-permission_0.patch (1.88 KB)
Another patch, this time renaming the permission "access user list" to
"access users", and adding a check in the user viewing function to only
allow users with this permission to view the user information.
------------------------------------------------------------------------
July 5, 2004 - 15:31 : Anonymous
Attachment: http://drupal.org/files/issues/user-module-add-view-permission_1.patch (1.86 KB)
Here is a patch again, now for CVS. Does the same thing as above.
It is a very simple patch. If it seems proper, I hope that can be
included before it goes stale.
------------------------------------------------------------------------
July 9, 2004 - 02:08 : daBrado
Attachment: http://drupal.org/files/issues/user-module-add-view-permission_2.patch (1.33 KB)
The previous patch was accepted, but then for some reason reversed as
part of another CVS commit.
So, here is a new patch that brings back the "access users" permission.
It controls whether or not a user may view other users info.
------------------------------------------------------------------------
September 22, 2004 - 16:53 : Bèr Kessels
Attachment: http://drupal.org/files/issues/access_users_perm.patch (6.46 KB)
A new and revised patch.
It adds an "access users" permission
------------------------------------------------------------------------
September 22, 2004 - 18:02 : killes at www.drop.org
I'd like to see this patch applied to cvs before the 4.5 release. Now
that we can protect our nodes from unauthorized access it just makes
sense to protect our user data as well. In the future I'd like to see
scheme where the user (as in end-user) is able to selet which of his
data gets published.
------------------------------------------------------------------------
September 23, 2004 - 01:52 : rkendall
I would like this too
------------------------------------------------------------------------
October 14, 2004 - 23:46 : drumm
Can the name be changed to 'view user profiles'?
------------------------------------------------------------------------
October 18, 2004 - 09:19 : Bèr Kessels
It can, but I used "access" for consistancy. we have "access newsfeeds",
"access comments", "access etc".
This patch is critical for corporate sites btw. A corporate site that
has its customers information lying on the streets (so to say) is
not-done.
Ber
------------------------------------------------------------------------
November 27, 2004 - 13:49 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/user-access.patch (5.96 KB)
Updated for CVS. I assumed that "admin users" implies "access users" in
user_admin.
------------------------------------------------------------------------
March 1, 2005 - 17:30 : killes at www.drop.org
Does not apply anymore, Ber can you have a look at it?
------------------------------------------------------------------------
March 7, 2005 - 09:19 : Bèr Kessels
Attachment: http://drupal.org/files/issues/user_access_0.patch (9.74 KB)
New patch. Should apply to HEAD.
------------------------------------------------------------------------
April 7, 2005 - 21:29 : killes at www.drop.org
It's a patch (which still applies and wants into core).
------------------------------------------------------------------------
April 8, 2005 - 18:10 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/user_access_bug_1.patch (11.45 KB)
Ok, updated patch. Includes changes to format_name to only display
unlinked username for non-privileddged users. 'acccess users' is now
'access user profiles'. The search users tab won't get displayed either
if you are not allowed to seee user profiles. The patch got even tested.
------------------------------------------------------------------------
April 8, 2005 - 18:19 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/user_access_bug_2.patch (11.26 KB)
Further testing revealed a bug in the older parts of the patch...
------------------------------------------------------------------------
April 8, 2005 - 20:02 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/user_access_bug_3.patch (11.35 KB)
Another iteration: Users should alwys be allowed to see their own user
page.
------------------------------------------------------------------------
April 11, 2005 - 23:49 : Steven
Committed to 4.6/HEAD.
------------------------------------------------------------------------
April 12, 2005 - 00:04 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/user-db.patch (2.56 KB)
We found that users should not wonder why they cannot see other users'
pages anymore. DB update required.
Patch for HEAD attached, 4.6 to follow.
More information about the drupal-devel
mailing list