So far so good with the 5.x. dev version for the most part, but found one bug:
We have access control set up so only admins can "view" userpoints, but in fact even when logged in as a normal authenticated user anyone can see the userpoints for any user on the profile page of each user.

Comments

Art Morgan’s picture

Art Morgan commented

I think I figured out a workaround for this, but wanted to see if anyone had a recommendation on how best to implement it.

To recap the problem: We want authenticated users to be able view only their own points, not those of others. We set userpoint "view" access only to admins, but profiles seem to ignore this setting - Points show up for for every user on every profile, even when logged in as a non-admin.

Solution: We can use the userpoints block to show users how many points they have. Now we just need to remove any reference to user points from the profile pages.

What is the best way to do this? I see case 'view' under function userpoints_user, where the text for the profiles is generated. Should I just comment that out? Or is there a better place/way to prevent the profiles from displaying userpoints?

jredding’s picture

jredding commented
Assigned: Unassigned » jredding

I'll verify that this is the case and fix it if necessary in Version 3.0.

jredding’s picture

jredding commented

The "View userpoints" permission is there to control permisson on viewing "All users" userspoints via the "list users" page (i.e. all in one shot). The module is coded to display the userpoints on the profile page thus if a user has the ability to view the profile page they will view the points for that user also.

It wouldn't be difficult to modify this but a consensus has to be reached amongst the users and the module maintainer (kbahey).

So the question is
1) Should it be a permission to view All user points via the profile page
2) Should the existing permission "view userpoints" control the behavior of seeing points on the profile page
3) Should this be a module wide settings in admin/settings/userpoints?
or
4) Things are fine.. if that's the way it is, that's the way it is.

jredding’s picture

jredding commented
Status: Active » Postponed (maintainer needs more info)
gajillion’s picture

gajillion commented

Was a decision ever made on this? I need to change this behavior before rolling out this module.

jredding’s picture

jredding commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

no decision was made on this. I have added in the behavior because it does make sense if a user can't see the overall list why can they see it on the individual user account.

The new "feature" (or bug fix it you prefer) disables the display of user points on the user's profile page IF they do NOT have the "view userpoints" permission. There is no permission for "View own points" though, I will leave that as a task for another person.