From 4b84de9a0c5bc8a9a3cb781b423d9ce834ea089b Mon Sep 17 00:00:00 2001
From: Gerhard Killesreiter <killes_www_drop_org@227.no-reply.drupal.org>
Date: Fri, 17 Mar 2006 18:56:25 +0000
Subject: [PATCH] #14591, User.module links for blocked/non-existant accounts +
menu 403/404 issue, patch by Steven and merlinofchaos
---
includes/common.inc | 8 ++++++
modules/contact.module | 8 ++++--
modules/contact/contact.module | 8 ++++--
modules/tracker.module | 12 +++++++--
modules/tracker/tracker.module | 12 +++++++--
modules/user.module | 48 ++++++++++++++++++----------------
modules/user/user.module | 48 ++++++++++++++++++----------------
7 files changed, 92 insertions(+), 52 deletions(-)
diff --git a/includes/common.inc b/includes/common.inc
index c6fe6dd05a80..196fbab6f0ce 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -260,6 +260,10 @@ function drupal_not_found() {
menu_set_active_item($path);
$return = menu_execute_active_handler();
}
+ else {
+ // Redirect to a non-existant menu item to make possible tabs disappear.
+ menu_set_active_item('#');
+ }
if (empty($return)) {
drupal_set_title(t('Page not found'));
@@ -279,6 +283,10 @@ function drupal_access_denied() {
menu_set_active_item($path);
$return = menu_execute_active_handler();
}
+ else {
+ // Redirect to a non-existant menu item to make possible tabs disappear.
+ menu_set_active_item('#');
+ }
if (empty($return)) {
drupal_set_title(t('Access denied'));
diff --git a/modules/contact.module b/modules/contact.module
index ea1f116abfb4..eadeb2a8d381 100644
--- a/modules/contact.module
+++ b/modules/contact.module
@@ -320,8 +320,12 @@ function contact_admin_settings_submit($form_id, $form_values) {
function contact_mail_user() {
global $user;
- if ($account = user_load(array('uid' => arg(1), 'status' => 1))) {
- if (!$account->contact && !user_access('administer users')) {
+ if ($account = user_load(array('uid' => arg(1)))) {
+ $admin_access = user_access('administer users');
+ if (!$account->status && !$admin_access) {
+ drupal_access_denied();
+ }
+ else if (!$account->contact && !$admin_access) {
$output = t('%name is not accepting e-mails.', array('%name' => $account->name));
}
else if (!$user->uid) {
diff --git a/modules/contact/contact.module b/modules/contact/contact.module
index ea1f116abfb4..eadeb2a8d381 100644
--- a/modules/contact/contact.module
+++ b/modules/contact/contact.module
@@ -320,8 +320,12 @@ function contact_admin_settings_submit($form_id, $form_values) {
function contact_mail_user() {
global $user;
- if ($account = user_load(array('uid' => arg(1), 'status' => 1))) {
- if (!$account->contact && !user_access('administer users')) {
+ if ($account = user_load(array('uid' => arg(1)))) {
+ $admin_access = user_access('administer users');
+ if (!$account->status && !$admin_access) {
+ drupal_access_denied();
+ }
+ else if (!$account->contact && !$admin_access) {
$output = t('%name is not accepting e-mails.', array('%name' => $account->name));
}
else if (!$user->uid) {
diff --git a/modules/tracker.module b/modules/tracker.module
index 4f8e602f7112..f82611ceb1ba 100644
--- a/modules/tracker.module
+++ b/modules/tracker.module
@@ -65,8 +65,16 @@ function tracker_menu($may_cache) {
*/
function tracker_track_user() {
if ($account = user_load(array('uid' => arg(1)))) {
- drupal_set_title($account->name);
- return tracker_page($account->uid);
+ if ($account->status || user_access('administer users')) {
+ drupal_set_title($account->name);
+ return tracker_page($account->uid);
+ }
+ else {
+ drupal_access_denied();
+ }
+ }
+ else {
+ drupal_not_found();
}
}
diff --git a/modules/tracker/tracker.module b/modules/tracker/tracker.module
index 4f8e602f7112..f82611ceb1ba 100644
--- a/modules/tracker/tracker.module
+++ b/modules/tracker/tracker.module
@@ -65,8 +65,16 @@ function tracker_menu($may_cache) {
*/
function tracker_track_user() {
if ($account = user_load(array('uid' => arg(1)))) {
- drupal_set_title($account->name);
- return tracker_page($account->uid);
+ if ($account->status || user_access('administer users')) {
+ drupal_set_title($account->name);
+ return tracker_page($account->uid);
+ }
+ else {
+ drupal_access_denied();
+ }
+ }
+ else {
+ drupal_not_found();
}
}
diff --git a/modules/user.module b/modules/user.module
index 069786fa74d3..c04d0bcf1976 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -686,8 +686,7 @@ function user_menu($may_cache) {
$admin_access = user_access('administer users');
$access_access = user_access('administer access control');
- // Users should always be allowed to see their own user page
- $view_access = (user_access('access user profiles') || ($user->uid == arg(1)));
+ $view_access = user_access('access user profiles');
if ($may_cache) {
$items[] = array('path' => 'user', 'title' => t('user account'),
@@ -769,15 +768,21 @@ function user_menu($may_cache) {
}
else {
if (arg(0) == 'user' && is_numeric(arg(1))) {
- $user_exists = user_load(array('uid' => arg(1), 'status' => 1));
+ $account = user_load(array('uid' => arg(1)));
- $items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
- 'type' => MENU_CALLBACK, 'callback' => 'user_view',
- 'callback arguments' => array(arg(1)), 'access' => $view_access);
+ if ($user !== FALSE) {
+ // Always let a user view their own account
+ $view_access |= $user->uid == arg(1);
+ // Only admins can view blocked accounts
+ $view_access &= $account->status || $admin_access;
+
+ $items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
+ 'type' => MENU_CALLBACK, 'callback' => 'user_view',
+ 'callback arguments' => array(arg(1)), 'access' => $view_access);
- if ($user_exists !== FALSE || $admin_access) {
$items[] = array('path' => 'user/'. arg(1) .'/view', 'title' => t('view'),
'access' => $view_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
+
$items[] = array('path' => 'user/'. arg(1) .'/edit', 'title' => t('edit'),
'callback' => 'user_edit', 'access' => $admin_access || $user->uid == arg(1),
'type' => MENU_LOCAL_TASK);
@@ -1406,25 +1411,24 @@ function user_edit_submit($form_id, $form_values) {
function user_view($uid = 0) {
global $user;
- if ($account = user_load(array('uid' => $uid, 'status' => 1))) {
- // Retrieve and merge all profile fields:
- $fields = array();
- foreach (module_list() as $module) {
- if ($data = module_invoke($module, 'user', 'view', '', $account)) {
- foreach ($data as $category => $items) {
- foreach ($items as $item) {
- $item['class'] = "$module-". $item['class'];
- $fields[$category][] = $item;
- }
+ $account = user_load(array('uid' => $uid));
+ if ($account === FALSE) {
+ return drupal_not_found();
+ }
+ // Retrieve and merge all profile fields:
+ $fields = array();
+ foreach (module_list() as $module) {
+ if ($data = module_invoke($module, 'user', 'view', '', $account)) {
+ foreach ($data as $category => $items) {
+ foreach ($items as $item) {
+ $item['class'] = "$module-". $item['class'];
+ $fields[$category][] = $item;
}
}
}
- drupal_set_title($account->name);
- return theme('user_profile', $account, $fields);
- }
- else {
- drupal_not_found();
}
+ drupal_set_title($account->name);
+ return theme('user_profile', $account, $fields);
}
/*** Administrative features ***********************************************/
diff --git a/modules/user/user.module b/modules/user/user.module
index 069786fa74d3..c04d0bcf1976 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -686,8 +686,7 @@ function user_menu($may_cache) {
$admin_access = user_access('administer users');
$access_access = user_access('administer access control');
- // Users should always be allowed to see their own user page
- $view_access = (user_access('access user profiles') || ($user->uid == arg(1)));
+ $view_access = user_access('access user profiles');
if ($may_cache) {
$items[] = array('path' => 'user', 'title' => t('user account'),
@@ -769,15 +768,21 @@ function user_menu($may_cache) {
}
else {
if (arg(0) == 'user' && is_numeric(arg(1))) {
- $user_exists = user_load(array('uid' => arg(1), 'status' => 1));
+ $account = user_load(array('uid' => arg(1)));
- $items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
- 'type' => MENU_CALLBACK, 'callback' => 'user_view',
- 'callback arguments' => array(arg(1)), 'access' => $view_access);
+ if ($user !== FALSE) {
+ // Always let a user view their own account
+ $view_access |= $user->uid == arg(1);
+ // Only admins can view blocked accounts
+ $view_access &= $account->status || $admin_access;
+
+ $items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
+ 'type' => MENU_CALLBACK, 'callback' => 'user_view',
+ 'callback arguments' => array(arg(1)), 'access' => $view_access);
- if ($user_exists !== FALSE || $admin_access) {
$items[] = array('path' => 'user/'. arg(1) .'/view', 'title' => t('view'),
'access' => $view_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
+
$items[] = array('path' => 'user/'. arg(1) .'/edit', 'title' => t('edit'),
'callback' => 'user_edit', 'access' => $admin_access || $user->uid == arg(1),
'type' => MENU_LOCAL_TASK);
@@ -1406,25 +1411,24 @@ function user_edit_submit($form_id, $form_values) {
function user_view($uid = 0) {
global $user;
- if ($account = user_load(array('uid' => $uid, 'status' => 1))) {
- // Retrieve and merge all profile fields:
- $fields = array();
- foreach (module_list() as $module) {
- if ($data = module_invoke($module, 'user', 'view', '', $account)) {
- foreach ($data as $category => $items) {
- foreach ($items as $item) {
- $item['class'] = "$module-". $item['class'];
- $fields[$category][] = $item;
- }
+ $account = user_load(array('uid' => $uid));
+ if ($account === FALSE) {
+ return drupal_not_found();
+ }
+ // Retrieve and merge all profile fields:
+ $fields = array();
+ foreach (module_list() as $module) {
+ if ($data = module_invoke($module, 'user', 'view', '', $account)) {
+ foreach ($data as $category => $items) {
+ foreach ($items as $item) {
+ $item['class'] = "$module-". $item['class'];
+ $fields[$category][] = $item;
}
}
}
- drupal_set_title($account->name);
- return theme('user_profile', $account, $fields);
- }
- else {
- drupal_not_found();
}
+ drupal_set_title($account->name);
+ return theme('user_profile', $account, $fields);
}
/*** Administrative features ***********************************************/
--
GitLab