[drupal-devel] [bug] Remove code containing user access controls from profile theme functions

chx drupal-devel at drupal.org
Thu Aug 18 12:45:31 UTC 2005


Issue status update for 
http://drupal.org/node/27949
Post a follow up: 
http://drupal.org/project/comments/add/27949

 Project:      Drupal
 Version:      cvs
 Component:    profile.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  robertDouglass
 Reported by:  robertDouglass
 Updated by:   chx
 Status:       patch (code needs review)

Just by looking at the code: -1. Never write $user we use $account in
these places. There is a global $user and you do not want accidental
mixup.


If you change that, I think I'll like it :)




chx



Previous comments:
------------------------------------------------------------------------

Mon, 01 Aug 2005 12:32:07 +0000 : robertDouglass

Attachment: http://drupal.org/files/issues/profile_fix_acces_control_in_theme.txt (2.36 KB)

The two theme functions in profile.module both violate good theming
practice by running user control logic in the middle of them. Worse
yet, this isn't immediately visible since it happens in yet another
function. Thus themers overriding these functions to style profile
pages[1] inadvertently break access control, thus leading to the
misperception that overriding theme functions is inherently
dangerous[2].


[1] http://drupal.org/node/16011
[2] http://drupal.org/node/16821




------------------------------------------------------------------------

Thu, 18 Aug 2005 12:37:40 +0000 : robertDouglass

patch still applies. Anyone care to review?




------------------------------------------------------------------------

Thu, 18 Aug 2005 12:41:46 +0000 : Dublin Drupaller

Would like to review and help Robert, but I don't have a CVS version of
drupal installed..will the patch work with 4.6.x?


Dub







More information about the drupal-devel mailing list