Commit ad74b700 authored by Dries's avatar Dries

- Patch #32669 by DriesK: split blocking users from 'adminsiter access'.

parent d5d0149a
......@@ -1154,8 +1154,10 @@ function user_edit_form($uid, $edit) {
$form['account']['name'] = array('#type' => 'textfield', '#title' => t('Username'), '#default_value' => $edit['name'], '#maxlength' => 55, '#description' => t('Your full name or your preferred username: only letters, numbers and spaces are allowed.'), '#required' => TRUE);
$form['account']['mail'] = array('#type' => 'textfield', '#title' => t('E-mail address'), '#default_value' => $edit['mail'], '#maxlength' => 55, '#description' => t('Insert a valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.'), '#required' => TRUE);
$form['account']['pass'] = array('#type' => 'item', '#title' => t('Password'), '#value' => '<input type="password" class="form-password" name="edit[pass1]" size="12" maxlength="24" /> <input type="password" class="form-password" name="edit[pass2]" size="12" maxlength="24" />', '#required' => true);
if (user_access('administer access control')) {
if (user_access('administer users')) {
$form['account']['status'] = array('#type' => 'radios', '#title' => t('Status'), '#default_value' => $edit['status'], '#options' => array(t('Blocked'), t('Active')));
}
if (user_access('administer access control')) {
$form['account']['roles'] = array('#type' => 'checkboxes', '#title' => t('Roles'), '#default_value' => array_keys($edit['roles']), '#options' => user_roles(1), '#description' => t('Select at least one role. The user receives the combined permissions of all of the selected roles.'), '#required' => TRUE);
}
......@@ -1244,7 +1246,8 @@ function user_edit($category = 'account') {
if (!form_get_errors()) {
// Validate input to ensure that non-privileged users can't alter protected data.
if (!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'roles', 'init', 'session'))) {
if ((!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'init', 'session'))) ||
(!user_access('administer access control') && isset($edit['roles']))) {
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
}
else {
......
......@@ -1154,8 +1154,10 @@ function user_edit_form($uid, $edit) {
$form['account']['name'] = array('#type' => 'textfield', '#title' => t('Username'), '#default_value' => $edit['name'], '#maxlength' => 55, '#description' => t('Your full name or your preferred username: only letters, numbers and spaces are allowed.'), '#required' => TRUE);
$form['account']['mail'] = array('#type' => 'textfield', '#title' => t('E-mail address'), '#default_value' => $edit['mail'], '#maxlength' => 55, '#description' => t('Insert a valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.'), '#required' => TRUE);
$form['account']['pass'] = array('#type' => 'item', '#title' => t('Password'), '#value' => '<input type="password" class="form-password" name="edit[pass1]" size="12" maxlength="24" /> <input type="password" class="form-password" name="edit[pass2]" size="12" maxlength="24" />', '#required' => true);
if (user_access('administer access control')) {
if (user_access('administer users')) {
$form['account']['status'] = array('#type' => 'radios', '#title' => t('Status'), '#default_value' => $edit['status'], '#options' => array(t('Blocked'), t('Active')));
}
if (user_access('administer access control')) {
$form['account']['roles'] = array('#type' => 'checkboxes', '#title' => t('Roles'), '#default_value' => array_keys($edit['roles']), '#options' => user_roles(1), '#description' => t('Select at least one role. The user receives the combined permissions of all of the selected roles.'), '#required' => TRUE);
}
......@@ -1244,7 +1246,8 @@ function user_edit($category = 'account') {
if (!form_get_errors()) {
// Validate input to ensure that non-privileged users can't alter protected data.
if (!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'roles', 'init', 'session'))) {
if ((!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'init', 'session'))) ||
(!user_access('administer access control') && isset($edit['roles']))) {
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
}
else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment