Based on the code for vud_user_votes(), I believe the intention is to allow someone with the 'administer users' permission to be able to view the page for blocked users while people without would only be able to access it if the user was active. However, anyone trying to access the page will receive a page not found because of the the user_load() call on 123. It's only loading the account for the given uid if the status is also 1, so if the user has been blocked, then the account won't be loaded and it will immediately skip to the else statement.

122  function vud_user_votes() {
123    if ($account = user_load(array('uid' => arg(1), 'status' => 1))) {
124      if ($account->status || user_access('administer users')) {
            ...
148      }
149      else {
150        drupal_access_denied();
151      }
152    }
153    else {
154      drupal_not_found();
155    }
156  }

That problem aside, I think that the checks in lines 123 & 124 should really be in a custom access callback. By doing the checks in the access callback, the link for the user's vote page wouldn't even be rendered if the user shouldn't be able to view the page. As it stands, with the access checks in the page callback, that link will still be rendered, making it look like the user should be able to access it. Attached is a possible solution for both issues.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kevin.dutra’s picture

FileSize
1.36 KB

Brain fart there on the arguments, this would be correct.

marvil07’s picture

Version: 6.x-2.4 » 6.x-2.x-dev
Status: Active » Postponed (maintainer needs more info)

Some time ago I changed a little how that function worked on #1024138-3: Namespace the user votes tab and move access check to access callback, but that change is not yet on a release.

It would be great if you test I you can reproduce the bug on the top of 6.x-2.x branch, so we can re-work the patch if the problem is still there.

kevin.dutra’s picture

Checked out the latest on the 6.x-2.x branch and I'm sorry to say it got worse :(
Now you get dual content--both the page not found and the content of the page. I'm not working off a clean Drupal install, so it's possible that there's some conflict there, but I'm guessing not.

marvil07’s picture

Assigned: Unassigned » marvil07
Status: Postponed (maintainer needs more info) » Needs work

The code for that seems to be working fine: when viewing a blocked user votes tab it show a drupal not found page.

But yeah, I guess it's better to show it, but only for users that pass the function what you suggest on the patch: user_view_access()

marvil07’s picture

Status: Needs work » Fixed
FileSize
1.06 KB

Attached patch is now on both 6.x-3.x and 6.x-2.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.