Commit 23bccfd1 authored by Steven Wittens's avatar Steven Wittens

- #4166: Respect 'access userlist' permission for profile data.

parent bc44805f
......@@ -927,7 +927,12 @@ function format_name($object) {
$name = $object->name;
}
$output = l($name, 'user/'. $object->uid, array('title' => t('View user profile.')));
if (user_access('access user profiles')) {
$output = l($name, 'user/'. $object->uid, array('title' => t('View user profile.')));
}
else {
$output = $name;
}
}
else if ($object->name) {
// Sometimes modules display content composed by people who are
......
......@@ -35,7 +35,7 @@ function profile_menu($may_cache) {
if ($may_cache) {
$items[] = array('path' => 'profile', 'title' => t('user list'),
'callback' => 'profile_browse',
'access' => TRUE,
'access' => user_access('access user profiles'),
'type' => MENU_SUGGESTED_ITEM);
$items[] = array('path' => 'admin/settings/profile', 'title' => t('profiles'),
'callback' => 'profile_admin_overview',
......
......@@ -35,7 +35,7 @@ function profile_menu($may_cache) {
if ($may_cache) {
$items[] = array('path' => 'profile', 'title' => t('user list'),
'callback' => 'profile_browse',
'access' => TRUE,
'access' => user_access('access user profiles'),
'type' => MENU_SUGGESTED_ITEM);
$items[] = array('path' => 'admin/settings/profile', 'title' => t('profiles'),
'callback' => 'profile_admin_overview',
......
......@@ -108,8 +108,8 @@ function search_menu($may_cache) {
$keys = search_get_keys();
$keys = strlen($keys) ? '/'. $keys : '';
foreach (module_list() as $name) {
if (module_hook($name, 'search')) {
$items[] = array('path' => 'search/'. $name . $keys, 'title' => module_invoke($name, 'search', 'name'),
if (module_hook($name, 'search') && $title = module_invoke($name, 'search', 'name')) {
$items[] = array('path' => 'search/'. $name . $keys, 'title' => $title,
'callback' => 'search_view',
'access' => user_access('search content'),
'type' => MENU_LOCAL_TASK);
......
......@@ -108,8 +108,8 @@ function search_menu($may_cache) {
$keys = search_get_keys();
$keys = strlen($keys) ? '/'. $keys : '';
foreach (module_list() as $name) {
if (module_hook($name, 'search')) {
$items[] = array('path' => 'search/'. $name . $keys, 'title' => module_invoke($name, 'search', 'name'),
if (module_hook($name, 'search') && $title = module_invoke($name, 'search', 'name')) {
$items[] = array('path' => 'search/'. $name . $keys, 'title' => $title,
'callback' => 'search_view',
'access' => user_access('search content'),
'type' => MENU_LOCAL_TASK);
......
......@@ -403,7 +403,7 @@ function user_fields() {
* Implementation of hook_perm().
*/
function user_perm() {
return array('administer users');
return array('administer users', 'access user profiles');
}
/**
......@@ -424,16 +424,20 @@ function user_file_download($file) {
function user_search($op = 'search', $keys = null) {
switch ($op) {
case 'name':
return t('users');
if (user_access('access user profiles')) {
return t('users');
}
case 'search':
$find = array();
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
$result = pager_query("SELECT * FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url("user/$account->uid/view"));
if (user_access('access user profiles')) {
$find = array();
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
$result = pager_query("SELECT * FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url("user/$account->uid/view"));
}
return $find;
}
return $find;
}
}
......@@ -525,7 +529,7 @@ function user_block($op = 'list', $delta = 0, $edit = array()) {
return $block;
case 2:
if (user_access('access content')) {
if (user_access('access content') && user_access('access user profiles')) {
$result = db_query_range('SELECT uid, name FROM {users} WHERE status != 0 ORDER BY uid DESC', 0, 5);
while ($account = db_fetch_object($result)) {
$items[] = format_name($account);
......@@ -539,7 +543,7 @@ function user_block($op = 'list', $delta = 0, $edit = array()) {
return $block;
case 3:
if (user_access('access content')) {
if (user_access('access content') && user_access('access user profiles')) {
// Count users with activity in the past defined period.
$time_period = variable_get('user_block_seconds_online', 2700);
......@@ -625,11 +629,15 @@ function user_menu($may_cache) {
$items = array();
$access = user_access('administer users');
$admin_access = user_access('administer users');
// users should always be allowed to see their own user page
$view_access = (user_access('access user profiles') || ($user->uid == arg(1)));
if ($may_cache) {
$items[] = array('path' => 'user', 'title' => t('user account'),
'callback' => 'user_page', 'access' => TRUE, 'type' => MENU_CALLBACK);
//registration and login pages.
$items[] = array('path' => 'user/login', 'title' => t('log in'),
'type' => MENU_DEFAULT_LOCAL_TASK);
$items[] = array('path' => 'user/register', 'title' => t('register'),
......@@ -639,53 +647,53 @@ function user_menu($may_cache) {
$items[] = array('path' => 'user/help', 'title' => t('help'),
'callback' => 'user_help_page', 'type' => MENU_CALLBACK);
//admin pages
$items[] = array('path' => 'admin/user', 'title' => t('users'),
'callback' => 'user_admin', 'access' => $access);
'callback' => 'user_admin', 'access' => $admin_access);
$items[] = array('path' => 'admin/user/list', 'title' => t('list'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'admin/user/create', 'title' => t('add user'),
'callback' => 'user_admin', 'access' => $access,
'callback' => 'user_admin', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/user/configure', 'title' => t('configure'),
'callback' => 'user_configure', 'access' => $access,
'callback' => 'user_configure', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access', 'title' => t('access control'),
'callback' => 'user_admin_perm', 'access' => $access);
'callback' => 'user_admin_perm', 'access' => $admin_access);
$items[] = array('path' => 'admin/access/permissions', 'title' => t('permissions'),
'callback' => 'user_admin_perm', 'access' => $access,
'callback' => 'user_admin_perm', 'access' => $admin_access,
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'admin/access/roles', 'title' => t('roles'),
'callback' => 'user_admin_role', 'access' => $access,
'callback' => 'user_admin_role', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access/roles/edit', 'title' => t('edit role'),
'callback' => 'user_admin_role', 'access' => $access,
'callback' => 'user_admin_role', 'access' => $admin_access,
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/access/rules', 'title' => t('account rules'),
'callback' => 'user_admin_access', 'access' => $access,
'callback' => 'user_admin_access', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK, 'weight' => 10);
$items[] = array('path' => 'admin/access/rules/list', 'title' => t('list'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
'access' => $admin_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'admin/access/rules/add', 'title' => t('add rule'),
'callback' => 'user_admin_access_add', 'access' => $access,
'callback' => 'user_admin_access_add', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access/rules/check', 'title' => t('check rules'),
'callback' => 'user_admin_access_check', 'access' => $access,
'callback' => 'user_admin_access_check', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access/rules/edit', 'title' => t('edit rule'),
'callback' => 'user_admin_access_edit', 'access' => $access,
'callback' => 'user_admin_access_edit', 'access' => $admin_access,
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/access/rules/delete', 'title' => t('delete rule'),
'callback' => 'user_admin_access_delete', 'access' => $access,
'callback' => 'user_admin_access_delete', 'access' => $admin_access,
'type' => MENU_CALLBACK);
if (module_exist('search')) {
$items[] = array('path' => 'admin/user/search', 'title' => t('search'),
'callback' => 'user_admin', 'access' => $access,
'callback' => 'user_admin', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
}
//Your personal page
if ($user->uid) {
$items[] = array('path' => 'user/'. $user->uid, 'title' => t('my account'),
'callback' => 'user_page', 'access' => TRUE,
......@@ -700,22 +708,25 @@ function user_menu($may_cache) {
else {
if (arg(0) == 'user' && is_numeric(arg(1))) {
$items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
'type' => MENU_CALLBACK, 'callback' => 'user_page', 'access' => TRUE);
'type' => MENU_CALLBACK, 'callback' => 'user_page', 'access' => $view_access);
$items[] = array('path' => 'user/'. arg(1) .'/view', 'title' => t('view'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
'access' => $view_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'user/'. arg(1) .'/edit', 'title' => t('edit'),
'callback' => 'user_edit', 'access' => $access || $user->uid == arg(1),
'callback' => 'user_edit', 'access' => $admin_access || $user->uid == arg(1),
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'user/'. arg(1) .'/delete', 'title' => t('delete'),
'callback' => 'user_edit', 'access' => $access,
'callback' => 'user_edit', 'access' => $admin_access,
'type' => MENU_CALLBACK);
if (arg(2) == 'edit') {
if (($categories = _user_categories()) && (count($categories) > 1)) {
foreach ($categories as $key => $category) {
$items[] = array('path' => 'user/'. arg(1) .'/edit/'. $category['name'], 'title' => $category['title'],
$items[] = array(
'path' => 'user/'. arg(1) .'/edit/'. $category['name'],
'title' => $category['title'],
'type' => $category['name'] == 'account' ? MENU_DEFAULT_LOCAL_TASK : MENU_LOCAL_TASK,
'weight' => $category['weight']);
'weight' => $category['weight'],
'access' => $admin_access);
}
}
}
......
......@@ -403,7 +403,7 @@ function user_fields() {
* Implementation of hook_perm().
*/
function user_perm() {
return array('administer users');
return array('administer users', 'access user profiles');
}
/**
......@@ -424,16 +424,20 @@ function user_file_download($file) {
function user_search($op = 'search', $keys = null) {
switch ($op) {
case 'name':
return t('users');
if (user_access('access user profiles')) {
return t('users');
}
case 'search':
$find = array();
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
$result = pager_query("SELECT * FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url("user/$account->uid/view"));
if (user_access('access user profiles')) {
$find = array();
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
$result = pager_query("SELECT * FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url("user/$account->uid/view"));
}
return $find;
}
return $find;
}
}
......@@ -525,7 +529,7 @@ function user_block($op = 'list', $delta = 0, $edit = array()) {
return $block;
case 2:
if (user_access('access content')) {
if (user_access('access content') && user_access('access user profiles')) {
$result = db_query_range('SELECT uid, name FROM {users} WHERE status != 0 ORDER BY uid DESC', 0, 5);
while ($account = db_fetch_object($result)) {
$items[] = format_name($account);
......@@ -539,7 +543,7 @@ function user_block($op = 'list', $delta = 0, $edit = array()) {
return $block;
case 3:
if (user_access('access content')) {
if (user_access('access content') && user_access('access user profiles')) {
// Count users with activity in the past defined period.
$time_period = variable_get('user_block_seconds_online', 2700);
......@@ -625,11 +629,15 @@ function user_menu($may_cache) {
$items = array();
$access = user_access('administer users');
$admin_access = user_access('administer users');
// users should always be allowed to see their own user page
$view_access = (user_access('access user profiles') || ($user->uid == arg(1)));
if ($may_cache) {
$items[] = array('path' => 'user', 'title' => t('user account'),
'callback' => 'user_page', 'access' => TRUE, 'type' => MENU_CALLBACK);
//registration and login pages.
$items[] = array('path' => 'user/login', 'title' => t('log in'),
'type' => MENU_DEFAULT_LOCAL_TASK);
$items[] = array('path' => 'user/register', 'title' => t('register'),
......@@ -639,53 +647,53 @@ function user_menu($may_cache) {
$items[] = array('path' => 'user/help', 'title' => t('help'),
'callback' => 'user_help_page', 'type' => MENU_CALLBACK);
//admin pages
$items[] = array('path' => 'admin/user', 'title' => t('users'),
'callback' => 'user_admin', 'access' => $access);
'callback' => 'user_admin', 'access' => $admin_access);
$items[] = array('path' => 'admin/user/list', 'title' => t('list'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'admin/user/create', 'title' => t('add user'),
'callback' => 'user_admin', 'access' => $access,
'callback' => 'user_admin', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/user/configure', 'title' => t('configure'),
'callback' => 'user_configure', 'access' => $access,
'callback' => 'user_configure', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access', 'title' => t('access control'),
'callback' => 'user_admin_perm', 'access' => $access);
'callback' => 'user_admin_perm', 'access' => $admin_access);
$items[] = array('path' => 'admin/access/permissions', 'title' => t('permissions'),
'callback' => 'user_admin_perm', 'access' => $access,
'callback' => 'user_admin_perm', 'access' => $admin_access,
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'admin/access/roles', 'title' => t('roles'),
'callback' => 'user_admin_role', 'access' => $access,
'callback' => 'user_admin_role', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access/roles/edit', 'title' => t('edit role'),
'callback' => 'user_admin_role', 'access' => $access,
'callback' => 'user_admin_role', 'access' => $admin_access,
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/access/rules', 'title' => t('account rules'),
'callback' => 'user_admin_access', 'access' => $access,
'callback' => 'user_admin_access', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK, 'weight' => 10);
$items[] = array('path' => 'admin/access/rules/list', 'title' => t('list'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
'access' => $admin_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'admin/access/rules/add', 'title' => t('add rule'),
'callback' => 'user_admin_access_add', 'access' => $access,
'callback' => 'user_admin_access_add', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access/rules/check', 'title' => t('check rules'),
'callback' => 'user_admin_access_check', 'access' => $access,
'callback' => 'user_admin_access_check', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'admin/access/rules/edit', 'title' => t('edit rule'),
'callback' => 'user_admin_access_edit', 'access' => $access,
'callback' => 'user_admin_access_edit', 'access' => $admin_access,
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/access/rules/delete', 'title' => t('delete rule'),
'callback' => 'user_admin_access_delete', 'access' => $access,
'callback' => 'user_admin_access_delete', 'access' => $admin_access,
'type' => MENU_CALLBACK);
if (module_exist('search')) {
$items[] = array('path' => 'admin/user/search', 'title' => t('search'),
'callback' => 'user_admin', 'access' => $access,
'callback' => 'user_admin', 'access' => $admin_access,
'type' => MENU_LOCAL_TASK);
}
//Your personal page
if ($user->uid) {
$items[] = array('path' => 'user/'. $user->uid, 'title' => t('my account'),
'callback' => 'user_page', 'access' => TRUE,
......@@ -700,22 +708,25 @@ function user_menu($may_cache) {
else {
if (arg(0) == 'user' && is_numeric(arg(1))) {
$items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
'type' => MENU_CALLBACK, 'callback' => 'user_page', 'access' => TRUE);
'type' => MENU_CALLBACK, 'callback' => 'user_page', 'access' => $view_access);
$items[] = array('path' => 'user/'. arg(1) .'/view', 'title' => t('view'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
'access' => $view_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'user/'. arg(1) .'/edit', 'title' => t('edit'),
'callback' => 'user_edit', 'access' => $access || $user->uid == arg(1),
'callback' => 'user_edit', 'access' => $admin_access || $user->uid == arg(1),
'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'user/'. arg(1) .'/delete', 'title' => t('delete'),
'callback' => 'user_edit', 'access' => $access,
'callback' => 'user_edit', 'access' => $admin_access,
'type' => MENU_CALLBACK);
if (arg(2) == 'edit') {
if (($categories = _user_categories()) && (count($categories) > 1)) {
foreach ($categories as $key => $category) {
$items[] = array('path' => 'user/'. arg(1) .'/edit/'. $category['name'], 'title' => $category['title'],
$items[] = array(
'path' => 'user/'. arg(1) .'/edit/'. $category['name'],
'title' => $category['title'],
'type' => $category['name'] == 'account' ? MENU_DEFAULT_LOCAL_TASK : MENU_LOCAL_TASK,
'weight' => $category['weight']);
'weight' => $category['weight'],
'access' => $admin_access);
}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment