Authenticated user have access to all social media profiles [#1551670]

I am a Drupal newbie so I may just have misconfigured things but it seems all authenticated users have access to all social media profiles when the "Administer own profiles" permission is assigned to the "authenticated user" role. I guess that is not the expected behavior.

To verify make sure the "Administer own profiles" permission is assigned to the "Authenticated User" role and access the social media profile of another authenticated user.

To fix this for my installation I made some changes to 'socialmedia.module'. In particular I made the following change to 'function socialmedia_menu()':

I replaced:

  'access arguments' => array('administer own profiles'),

with

  'access callback' => 'socialmedia_user_profile_access',
  'access arguments' => array(1, 'administer own profiles'),

and added the function 'socialmedia_user_profile_access'

  function socialmedia_user_profile_access($account, $access_type) {
    global $user;
    return user_access($access_type) && ($account->uid == $user->uid);
  }

Don't know if this is the right way to do this but at least it seems to work... ;-)

Comment	File	Size	Author
#1	socialmedia-auth_user_access_all_profiles-1551670-1.patch	3.4 KB	pverrier

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

pverrier CreditAttribution: pverrier commented 18 June 2012 at 10:25

File	Size
socialmedia-auth_user_access_all_profiles-1551670-1.patch	3.4 KB

I met the same issue.
The 'administer own profiles' permission is checked when accessing a user settings page, but when this user is not the current one, access is also granted if the current user has this permission (normally set only for him). As users will generally be granted the right to edit their own social settings, thus every user will then have the right to modify the other's profiles... That's not what we want.

Here's a patch to solve this. I've changed the name of the permission 'administer own profiles' to 'administer own social profiles' to prevent name collision with another module. I also added a 'administer any social profiles' for my needs, it may be useful to grant a role the permission to edit any social account (not needed for account 1, as he has all privileges, but for other users we want to have administrative rights via a special role).