From a266968876cfca703c3d86aa888ffe70b04dddc3 Mon Sep 17 00:00:00 2001 From: Allen Freeman Date: Fri, 10 Jun 2011 13:57:53 -0400 Subject: [PATCH 1/4] Issue #932814: Prevent switching to blocked user accounts. --- masquerade.module | 61 +++++++++++++++++++++++++++++++++++++++++----------- 1 files changed, 48 insertions(+), 13 deletions(-) diff --git a/masquerade.module b/masquerade.module index c50c2cf..c48b4d1 100644 --- a/masquerade.module +++ b/masquerade.module @@ -385,13 +385,42 @@ function masquerade_user($op, &$edit, &$edit_user, $category = NULL) { $old_session_id = session_id(); break; - case 'update': + case 'after_update': + if (isset($old_session_id) && session_id() != $old_session_id) { + db_query("UPDATE {masquerade} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id); + } + if ($category == 'account' && isset($edit['masquerade_users'])) { $users = drupal_explode_tags($edit['masquerade_users']); db_query("DELETE FROM {masquerade_users} WHERE uid_from = %d", $edit_user->uid); - foreach ($users as $user) { - $u = user_load(array('name' => $user)); - db_query("INSERT INTO {masquerade_users} VALUES (%d, %d)", $edit_user->uid, $u->uid); + if ($edit_user->status == 1) { + foreach ($users as $user) { + $u = user_load(array('name' => $user)); + db_query("INSERT INTO {masquerade_users} VALUES (%d, %d)", $edit_user->uid, $u->uid); + } + } + else { + // If the user account is blocked it should be removed as an option for masquerading. + db_query("DELETE FROM {masquerade_users} WHERE uid_to = %d", $edit_user->uid); + $quick_switches = variable_get('masquerade_quick_switches', array()); + $test_user = variable_get('masquerade_test_user', ''); + if (in_array($edit_user->uid, $quick_switches)) { + $results = db_query('SELECT uid FROM {users} WHERE status=1 AND uid IN (' . db_placeholders($quick_switches, 'int') . ')', $quick_switches); + $quick_switches = array(); + while ($result = db_result($results)) { + $quick_switches[] = $result; + } + variable_set('masquerade_quick_switches', $quick_switches); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $edit_user-name))); + watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $edit_user->name), WATCHDOG_NOTICE); + } + // If we just blocked the masquerade test user, we'll need to kill the test user menu item. + if (!strcmp($test_user, $edit_user->name)) { + variable_set('masquerade_test_user',''); + menu_rebuild(); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. The menu link for this account has been removed.', array('%user' => $edit_user->name))); + watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. The memnu link for this account has been removed.', array('%user' => $edit_user->name), WATCHDOG_NOTICE); + } } $edit['masquerade_users'] = NULL; } @@ -400,12 +429,6 @@ function masquerade_user($op, &$edit, &$edit_user, $category = NULL) { case 'delete': db_query("DELETE FROM {masquerade_users} WHERE uid_from = %d OR uid_to = %d", $edit_user->uid, $edit_user->uid); break; - - case 'after_update': - if (isset($old_session_id) && session_id() != $old_session_id) { - db_query("UPDATE {masquerade} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id); - } - break; } } @@ -451,7 +474,11 @@ function masquerade_block_1($record) { $masquerade_switches = variable_get('masquerade_quick_switches', array()); // Add in user-specific switches. - $result = db_query("SELECT uid_to FROM {masquerade_users} WHERE uid_from = %d", $user->uid); + $result = db_query("SELECT uid_to FROM {masquerade_users} u + INNER JOIN {users} users + ON users.uid = u.uid_to + AND users.status = 1 + WHERE uid_from = %d", $user->uid); while ($uid_to = db_result($result)) { $masquerade_switches[] = $uid_to; } @@ -553,7 +580,7 @@ function masquerade_block_1_submit($form, &$form_state) { */ function masquerade_autocomplete($string) { $matches = array(); - $result = db_query_range("SELECT u.name FROM {users} u WHERE LOWER(u.name) LIKE LOWER('%s%%')", $string, 0, 10); + $result = db_query_range("SELECT u.name FROM {users} u WHERE u.status = 1 AND LOWER(u.name) LIKE LOWER('%s%%')", $string, 0, 10); while ($user = db_fetch_object($result)) { $matches[$user->name] = check_plain($user->name); } @@ -577,7 +604,7 @@ function masquerade_autocomplete_multiple($string) { $last_string = trim(array_pop($array)); $matches = array(); - $result = db_query_range("SELECT u.name FROM {users} u WHERE LOWER(u.name) LIKE LOWER('%s%%')", $last_string, 0, 10); + $result = db_query_range("SELECT u.name FROM {users} u WHERE u.status = 1 AND LOWER(u.name) LIKE LOWER('%s%%')", $last_string, 0, 10); $prefix = count($array) ? implode(', ', $array) .', ' : ''; @@ -651,6 +678,14 @@ function masquerade_switch_user($uid) { $new_user = user_load(array('uid' => $uid)); + // Check to see if user is blocked + if (!empty($new_user->uid) && empty($new_user->status)) { + drupal_set_message(t('You cannot masquerade as %user because this account is blocked.', array('%user' => $new_user->name)), 'error'); + watchdog('masquerade', 'An attempt to masquerade as %user failed because this account is blocked.', array('%user' => $new_user->name), WATCHDOG_ERROR); + return FALSE; + } + + $roles = array_keys(array_filter(variable_get('masquerade_admin_roles', array()))); $perm = $uid == 1 || array_intersect(array_keys($new_user->roles), $roles) ? 'masquerade as admin' : -- 1.7.5.2 From d945e9a541e2daa04de7a2e9083130c32580f6b4 Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 14:18:49 -0400 Subject: [PATCH 2/4] Issue #932814: Fix minor code style issues. --- masquerade.module | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/masquerade.module b/masquerade.module index c48b4d1..3fa2add 100644 --- a/masquerade.module +++ b/masquerade.module @@ -382,6 +382,8 @@ function masquerade_user($op, &$edit, &$edit_user, $category = NULL) { break; case 'submit': + // If the user has changed their password, we need to store their session + // ID so we can update the {masquerade} table with the new session ID. $old_session_id = session_id(); break; @@ -474,9 +476,9 @@ function masquerade_block_1($record) { $masquerade_switches = variable_get('masquerade_quick_switches', array()); // Add in user-specific switches. - $result = db_query("SELECT uid_to FROM {masquerade_users} u + $result = db_query("SELECT uid_to FROM {masquerade_users} u INNER JOIN {users} users - ON users.uid = u.uid_to + ON users.uid = u.uid_to AND users.status = 1 WHERE uid_from = %d", $user->uid); while ($uid_to = db_result($result)) { @@ -684,7 +686,6 @@ function masquerade_switch_user($uid) { watchdog('masquerade', 'An attempt to masquerade as %user failed because this account is blocked.', array('%user' => $new_user->name), WATCHDOG_ERROR); return FALSE; } - $roles = array_keys(array_filter(variable_get('masquerade_admin_roles', array()))); $perm = $uid == 1 || array_intersect(array_keys($new_user->roles), $roles) ? -- 1.7.5.2 From 609f06be35981da69fbec8221925491e530d9142 Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 14:23:59 -0400 Subject: [PATCH 3/4] Issue #932814: Don't deny access to a page when unable to switch accounts. --- masquerade.module | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) diff --git a/masquerade.module b/masquerade.module index 3fa2add..f4973e6 100644 --- a/masquerade.module +++ b/masquerade.module @@ -569,10 +569,7 @@ function masquerade_block_1_validate($form, &$form_state) { function masquerade_block_1_submit($form, &$form_state) { unset($form); $masq_user = user_load(array('name' => $form_state['values']['masquerade_user_field'])); - if (!masquerade_switch_user($masq_user->uid)) { - drupal_access_denied(); - } - else { + if (masquerade_switch_user($masq_user->uid)) { drupal_goto(referer_uri()); } } -- 1.7.5.2 From 4aa3823aeaa11d366955d0262be8ff9ec0668588 Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 14:31:48 -0400 Subject: [PATCH 4/4] Issue #932814: Fix typo in dsm() when removing a blocked account from the list of quick switches. --- masquerade.module | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/masquerade.module b/masquerade.module index f4973e6..fe889c0 100644 --- a/masquerade.module +++ b/masquerade.module @@ -413,7 +413,7 @@ function masquerade_user($op, &$edit, &$edit_user, $category = NULL) { $quick_switches[] = $result; } variable_set('masquerade_quick_switches', $quick_switches); - drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $edit_user-name))); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $edit_user->name))); watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $edit_user->name), WATCHDOG_NOTICE); } // If we just blocked the masquerade test user, we'll need to kill the test user menu item. -- 1.7.5.2