I've tested on a non-English Drupal installation. Using bulk operation, a user who doesn't have the edit permission can still block/unblock any user including the administrator. After submission, I see the error message AND successful message. The selected user(s) are in fact blocked (or unblocked).

This may be due to the fact that I'm using non-English UI, but nonetheless, a security concern.

BTW: This module is a lifesaver for me. Thank you so much to compile the patches and whatnot into one place!

CommentFileSizeAuthor
#15 administerusersbyrole-hide_access_denied_links-1670954-15.patch807 bytesptsimard
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch administerusersbyrole-hide_access_denied_links-1670954-15.patch. Unable to apply patch. See the log in the details link for more information. View
#12 administerusersbyrole.module-1670954.patch1.25 KBsnuyt
FAILED: [[SimpleTest]]: [MySQL] Invalid patch format in administerusersbyrole.module-1670954.patch. View
#3 administerusersbyrole-load-name-role-1670954.patch526 bytesdenison
PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es). View
Membership dollars fund testing for the Drupal project. Drupal Association Learn more

Comments

NobuT’s picture

To mitigate the issue, I've added form alter hook so that users that the current user doesn't have the edit permission don't show up.

/**
 * Implements hook_form_user_admin_account_alter().
 */
function administerusersbyrole_form_user_admin_account_alter(&$form, &$form_state, $form_id) {
    // Remove rows if I don't have access to them. 
  foreach ($form['accounts']['#options'] as $uid => $fields) {
    $account = user_load($uid);
    if (!_administerusersbyrole_can_edit_user($account)) {
      unset($form['accounts']['#options'][$uid]);
    }
  }
}
mrfelton’s picture

Project: Administer Users by Role D7 » Administer Users by Role
Version: » 7.x-1.0-beta1

Moving over to the Administer Users by Role queue.

denison’s picture

FileSize
526 bytes
PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es). View

Sorry, I did not understand where the topic has been moved. I had a similar problem, with the same message. But in my case I was using UI in English.

What was happening: In place of the string with the name of the role, was coming from the id eg id => id.

 Solved with this patch. I'm using version 7.x-1.0-beta1

NobuT’s picture

Thanks for the patch. It seems working.

edb’s picture

Priority: Normal » Major
Status: Active » Reviewed & tested by the community

Works fine here too, moving to RTBC.

Also marking as major as this bug prevents any user apart from user 1 from editing a users status.

dmegatool’s picture

#1 solution works but when I create a new user, it's back to the old behavior. When I clear the cache, it works again and only the appropriate users are shown...

Any idea what's causing this and how to fix ?

EDIT: Found out that's when I create a user when using the overlay/seven theme. If I disable the admin theme and create the user, everything's fine. I've put the code in my theme template.tlp.php... Is that where it goes ? I would like to reenable the admin theme overlay.

EDIT 2: I copied over the code to the Seven's template.tlp.php which I find kinda hacky. Works now but if the theme gets updated... Anyway maybe someone could answer to help others.

info999’s picture

I have same issue.
Using bulk operation the user can block/unblock any other user, includes Administator.
I'm waiting for update the module.
And thanks for module.

HaloFX’s picture

Applied #3 to beta1 and dev, both applied OK, but didn't resolve issue.

gaele’s picture

Issue summary: View changes
Priority: Major » Critical
Status: Reviewed & tested by the community » Closed (duplicate)
gaele’s picture

Status: Closed (duplicate) » Needs work

Sorry, 1717876 appears to be another issue.

snuyt’s picture

using

function administerusersbyrole_user_presave(&$edit, $account, $category) {

instead of

function administerusersbyrole_user_update(&$edit, $account, $category) {

is probably a good idea ?

snuyt’s picture

FileSize
1.25 KB
FAILED: [[SimpleTest]]: [MySQL] Invalid patch format in administerusersbyrole.module-1670954.patch. View
gaele’s picture

Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, 12: administerusersbyrole.module-1670954.patch, failed testing.

ptsimard’s picture

FileSize
807 bytes
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch administerusersbyrole-hide_access_denied_links-1670954-15.patch. Unable to apply patch. See the log in the details link for more information. View

Hello,

while not dealing with the other patches right now, I just thought that NobuT's hook at comment #1 needed its own patch as it is very useful.

ptsimard’s picture

Status: Needs work » Needs review

Status: Needs review » Needs work
AdamPS’s picture

Assigned: Unassigned » AdamPS
Status: Needs work » Needs review
Issue tags: +beta1

I intend to fix this as part of #2378869: Meta-issue for Beta 2 release. Please sign up as a follower of that issue and there will shortly be a patch that I would like feedback on.

Roughly speaking I took the patch in #15 but tweaked the permissions to guard permissions to users own account more carefully.

Should now be fixed on that issue, please let me know.

AdamPS’s picture

Version: 7.x-1.0-beta1 » 7.x-2.0-beta1
Status: Needs review » Closed (fixed)

Fix now available in latest release