Index: userprotect.module =================================================================== --- userprotect.module (revision 224) +++ userprotect.module (working copy) @@ -384,11 +384,51 @@ * modules's default access checks. */ function userprotect_menu_alter(&$callbacks) { + $callbacks['user/%user']['access callback'] = 'userprotect_user_view_access'; $callbacks['user/%user/edit']['access callback'] = 'userprotect_user_edit_access'; $callbacks['user/%user/cancel']['access callback'] = 'userprotect_user_cancel_access'; } /** + * Access callback for user view pages. + * + * This replaces user_view_access from user.module. + * + * @param $account + * An object representing the user to be edited. + */ +function userprotect_user_view_access($account) { + // Perform core's access check. + $uid = is_object($account) ? $account->uid : (int) $account; + + // Never allow access to view the anonymous user account. + if ($uid) { + // Admins can view all, users can view own profiles at all times. + if (user_access('administer users')) { + return TRUE; + } +// remove default logic from user_view_access +// elseif ($GLOBALS['user']->uid == $uid) { +// return TRUE; +// } + elseif (user_access('access user profiles')) { + // At this point, load the complete account object. + if (!is_object($account)) { + $account = user_load($uid); + } + return (is_object($account) && $account->status); + } + // new logic from userprotect + elseif (!userprotect_check_bypass('up_view') && userprotect_get_user_protection($account, 'up_view')) { + return FALSE; + } else { + return TRUE; + } + } + return FALSE; +} + +/** * Access callback for user edit pages. * * This replaces user_edit_access from user.module. @@ -459,6 +499,14 @@ */ function userprotect_permission() { return array( + 'view own user account' => array( + 'title' => t('View own user profile'), + 'description' => t('Allow users to view their own account page. Overrides disabled View user profiles.'), + ), + 'edit own user account' => array( + 'title' => t('Edit own user profile'), + 'description' => t('Allow users to edit their own account page.'), + ), 'change own e-mail' => array( 'title' => t('Change own e-mail'), 'description' => t('Allow users to edit their own e-mail address.'), @@ -612,6 +660,7 @@ 'up_openid' => 0, 'up_cancel' => 1, 'up_edit' => 0, + 'up_view' => 0, ); } @@ -645,6 +694,7 @@ 'up_openid' => t('openid'), 'up_cancel' => t('cancel'), 'up_edit' => t('all account edits'), + 'up_view' => t('all account views'), ); } @@ -798,7 +848,7 @@ // and password determined by the role-based setting in the userprotect // section at admin/config/people/permissions. This is done for consistency // with the way core handles the self-editing of usernames. - if ($uid == $GLOBALS['user']->uid && in_array($protection, array('up_name', 'up_mail', 'up_pass', 'up_openid', 'up_edit'))) { + if ($uid == $GLOBALS['user']->uid && in_array($protection, array('up_name', 'up_mail', 'up_pass', 'up_openid', 'up_edit', 'up_view'))) { switch ($protection) { case 'up_name': return !user_access('change own username'); @@ -808,9 +858,10 @@ return !user_access('change own password'); case 'up_openid': return !user_access('change own openid'); - // Always let user access their own edit page. case 'up_edit': - return FALSE; + return !user_access('edit own user account'); + case 'up_view': + return !user_access('view own user account'); } }