Commit b0676c8f authored by Gábor Hojtsy's avatar Gábor Hojtsy

#192692 by jrbeeman and mfer: (security) protect profile category page menu...

#192692 by jrbeeman and mfer: (security) protect profile category page menu items with the visibility settings already available
parent c40af944
......@@ -443,11 +443,29 @@ function profile_categories() {
$result = db_query("SELECT DISTINCT(category) FROM {profile_fields}");
$data = array();
while ($category = db_fetch_object($result)) {
$data[] = array('name' => $category->category, 'title' => $category->category, 'weight' => 3);
$data[] = array(
'name' => $category->category,
'title' => $category->category,
'weight' => 3,
'access callback' => 'profile_category_access',
'access arguments' => array($category->category)
);
}
return $data;
}
/*
* Menu item access callback - check if a user has access to a profile category.
*/
function profile_category_access($category) {
if (user_access('administer users')) {
return TRUE;
}
else {
return db_result(db_query("SELECT COUNT(*) FROM {profile_fields} WHERE category = '%s' AND visibility <> %d", $category, PROFILE_HIDDEN));
}
}
/**
* Process variables for profile-block.tpl.php.
*
......
......@@ -1072,6 +1072,8 @@ function user_menu() {
'title arguments' => array($category['title']),
'page callback' => 'user_edit',
'page arguments' => array(1, 3),
'access callback' => isset($category['access callback']) ? $category['access callback'] : TRUE,
'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(),
'type' => MENU_LOCAL_TASK,
'weight' => $category['weight'],
'file' => 'user.pages.inc',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment