views_handler_field_user_link_edit extends views_handler_field_user_link but checks against 'access user profiles'. Which is the value for the 'View User Profiles' permission. The edit link could possibly show for someone with permissions to view profiles, but not actually edit them- resulting in an access denied.

This patch simply adds a permission check to views_handler_field_user_link_edit for the 'administer users' permission to correct the issue.

CommentFileSizeAuthor
editlinkpermissionspatch.patch652 byteskazajhodo
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dandaman’s picture

dandaman CreditAttribution: dandaman commented
Assigned: kazajhodo » Unassigned

Unassigning it. Will try to review this if I have some time soon.

JaceRider’s picture

JaceRider CreditAttribution: JaceRider commented

+1 for this patch

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs review » Needs work

Oh yeah, this is indeed a problem.

+++ b/modules/user/views_handler_field_user_link_edit.incundefined
@@ -1,14 +1,6 @@
-/**
- * @file
- * Definition of views_handler_field_user_link_edit.
- */
-
 /**
  * Field handler to present a link to user edit.
- *
- * @ingroup views_field_handlers

There is no reason to remove proper documentation.

+++ b/modules/user/views_handler_field_user_link_edit.incundefined
@@ -27,4 +19,8 @@ class views_handler_field_user_link_edit extends views_handler_field_user_link {
+  ¶
+  function access() {
+    return user_access('administer users');

I'm wondering whether people use this field to display a link to edit your own profile. Based on this you would have to remove the access check and just return TRUE and add the required logic in the render_link function. There you could use user_edit_access

poiu’s picture

poiu CreditAttribution: poiu commented
Issue summary: View changes

The workbench module uses (well, tries to use) this field to display a link to edit your own profile.