Commit 864fb0a0 authored by webchick's avatar webchick

Issue #1870614 by plach, greggles, dww, mr.baileys, David Rothstein: Fixed...

Issue #1870614 by plach, greggles, dww, mr.baileys, David Rothstein: Fixed SA-CORE-2012-004 - Drupal core - Search shows blocked users.
parent 5d89911f
......@@ -24,7 +24,7 @@ class UserSearchTest extends WebTestBase {
public static function getInfo() {
return array(
'name' => 'User search',
'description' => 'Testing that only user with the right permission can see the email address in the user search.',
'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
'group' => 'User',
);
}
......@@ -44,6 +44,25 @@ function testUserSearch() {
$edit = array('keys' => $keys);
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertText($keys);
// Create a blocked user.
$blocked_user = $this->drupalCreateUser();
$blocked_user->status = 0;
$blocked_user->save();
// Verify that users with "administer users" permissions can see blocked
// accounts in search results.
$edit = array('keys' => $blocked_user->name);
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
// Verify that users without "administer users" permissions do not see
// blocked accounts in search results.
$this->drupalLogin($user1);
$edit = array('keys' => $blocked_user->name);
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
$this->drupalLogout();
}
}
......@@ -538,14 +538,18 @@ function user_search_execute($keys = NULL, $conditions = NULL) {
->extend('Drupal\Core\Database\Query\PagerSelectExtender');
$query->fields('users', array('uid'));
if (user_access('administer users')) {
// Administrators can also search in the otherwise private email field.
// Administrators can also search in the otherwise private email field, and
// they don't need to be restricted to only active users.
$query->fields('users', array('mail'));
$query->condition(db_or()->
condition('name', '%' . db_like($keys) . '%', 'LIKE')->
condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
}
else {
$query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
// Regular users can only search via usernames, and we do not show them
// blocked accounts.
$query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
->condition('status', 1);
}
$uids = $query
->limit(15)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment