Currently there are no access callbacks for the user properties, which results in scenarios where the user's email address is accessible with the "View user profiles" permission (see also #1042582: Resource permissions). This is an example for a property that should only be visible with the "Administer users" permission.
I'll look into it.

CommentFileSizeAuthor
#4 1046270-entity-user-property-access.patch2.44 KBklausi
#3 entity_user_perm.patch2.27 KBfago
#1 1046270-entity-user-property-access.patch1.69 KBklausi
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Status: Active » Needs review
FileSize
1046270-entity-user-property-access.patch1.69 KB

Patch to restrict "mail" and "roles" property.

BenK’s picture

BenK CreditAttribution: BenK commented

Subscribing

fago’s picture

fago
Primary language German
Location Vienna
CreditAttribution: fago commented
FileSize
entity_user_perm.patch2.27 KB

This would mean everyone can change its own roles - not so good ;)
Here is an updated patch, also including the user name property. Please review.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
FileSize
1046270-entity-user-property-access.patch2.44 KB

I find that code very hard to read. Here is a modified version that does the same but is hopefully easier to read.

fago’s picture

fago
Primary language German
Location Vienna
CreditAttribution: fago commented
Status: Needs review » Fixed

Thanks, indeed that's better. I've fixed two typos and committed it.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.