As it stands template_preprocess_username() uses only user_access('access user profiles') to determine whether the current user can view a profile. However that also includes their own profile which (at least in D7 where this error also occurs) should always be visible.

There's a simple quick fix which involves just adding a check to see if the current user is the same as the username we want.

global $user;
$variables['profile_access'] = user_access('access user profiles') || $account->id() == $user->id();

The equivalent fix works in D7.

Comments

adaddinsane’s picture

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

dpi’s picture

Issue summary: View changes
Status: Active » Closed (duplicate)
Related issues: +#849602: Update 'username' theme template to use 'view label' operation.
David_Rothstein’s picture

Title: template_preprocess_username() does not provide correct access to own profile » template_preprocess_username() does not check access correctly when displaying a link to the user's own profile
Status: Closed (duplicate) » Needs review
Issue tags: +needs backport to D7

I don't see how this is a duplicate - that issue is about access to the username, whereas this issue is about displaying a link to the profile page.

Essentially what this issue is saying is that the code which determines whether or not to link to the user profile should match (or at least more closely match) the code in https://api.drupal.org/api/drupal/core%21modules%21user%21src%21UserAcce... which determines whether or not the current user has access to view the profile.

Status: Needs review » Needs work

The last submitted patch, 1: 2106589-preprocess-username-own-profile.patch, failed testing.

dpi’s picture

David_Rothstein’s picture

Status: Needs work » Closed (duplicate)

Oh, yeah, this does look like a duplicate of that one.