I searched to see if this was answered already, but didn't see anything on the intended behavior. It appears that in the latest release, any user that can access a user's profile can now also access that user's vote history. I found the thread where the change originated (http://drupal.org/node/1246392).

Should this...

<?php
function vud_can_see_votes($account) {
  if (
$account->status != 1) {
    return
user_view_access($account);
  }
  return
user_access('access vote up/down statistics') || user_view_access($account);
}
?>

Be this...

<?php
function vud_can_see_votes($account) {
  if (
$account->status != 1) {
    return
user_view_access($account);
  }
  return
user_access('access vote up/down statistics') || user_access('administer users');
}
?>

I guess you could add an additional check allowing users to view their own vote page if that is desired.

<?php
function vud_can_see_votes($account) {
  global
$user;
  if (
$account->status != 1) {
    return
user_view_access($account);
  }
  return
user_access('access vote up/down statistics') || user_access('administer users') || ($user->uid == $account->uid);
}
?>

Comments

marvil07’s picture

Status:Active» Fixed
StatusFileSize
new1.22 KB

Thanks for reporting :-)

Reviewing in detail the code of user_view_access(), I see what you mean. Yes, there is a problem there since it allows access for people with 'access user profiles' permission to access what only 'access vote up/down statistics' permission enabled users should see.

So, here the patch I have pushed to 6.x-3.x and 6.x-2.x. It's not exactly what you wrote, and instead completely based on user_view_access() logic.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.