Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently there are no access callbacks for the user properties, which results in scenarios where the user's email address is accessible with the "View user profiles" permission (see also #1042582: Resource permissions). This is an example for a property that should only be visible with the "Administer users" permission.
I'll look into it.
Comment | File | Size | Author |
---|---|---|---|
#4 | 1046270-entity-user-property-access.patch | 2.44 KB | klausi |
#3 | entity_user_perm.patch | 2.27 KB | fago |
#1 | 1046270-entity-user-property-access.patch | 1.69 KB | klausi |
Comments
Comment #1
klausiPatch to restrict "mail" and "roles" property.
Comment #2
BenK CreditAttribution: BenK commentedSubscribing
Comment #3
fagoThis would mean everyone can change its own roles - not so good ;)
Here is an updated patch, also including the user name property. Please review.
Comment #4
klausiI find that code very hard to read. Here is a modified version that does the same but is hopefully easier to read.
Comment #5
fagoThanks, indeed that's better. I've fixed two typos and committed it.