The protections applied to a user on the user protection settings don't work. However, in the permissions for User Protect module, by default authenticated users are allowed to change username, email and password. Those if disabled disables the permissions to the role not the users. I don't think doing that was the idea behind this module. The effect of the settings on the user protection don't work at all.

Comments

dreizwo’s picture

dreizwo CreditAttribution: dreizwo commented

Same Problem. A user has explizit editing permission @see comments in userprotect.module line 797 following. 

// Users editing their own accounts have the permissions for e-mail
// and password determined by the role-based setting in the userprotect
// section at admin/config/people/permissions. This is done for consistency
//  with the way core handles the self-editing of usernames.

AND line 811
// Always let user access their own edit page.

This will be ok, if permission has been denied for a role. But in my opinion, the settings of user protect have to be analysed addtionaly.

The quick way is to uncomment the lines 801-815 (ONLY the userprotect settings will be analysed).
Moving the code of these line at the bottom of the function will FRIST check userprotect settings and at least the core-handles.

GrahamShepherd’s picture

GrahamShepherd CreditAttribution: GrahamShepherd commented

I am using this module in conjunction with IP Login (https://drupal.org/project/ip_login) as a means of preventing all but the owner of the account from viewing and editing tha account details, especially username, email and password. The IP Login module automatically logs in any user within specified IP ranges for the account owner. The Ip Login module does not provide any protections in itself but could when used in conjunction with this module provided that the issue raised here is dealt with. May I request that the User Protect module include a configurable setting which will deal with this?

MegaChriz’s picture

MegaChriz CreditAttribution: MegaChriz commented
Category: Bug report » Support request
Issue summary: View changes
Status: Active » Fixed

Protection rules for a specific user don't count for the user itself. To prevent an user for editing its own account, you can uncheck the following permissions for authenticated users on the permissions page:

  • Change own username
  • Change own e-mail
  • Change own password
  • Cancel own user account

That way an user who is just an authenticated user can not edit its username, mail address and password nor cancel its own account. If some users should be able to edit these properties (for their own account), you should assign these permissions for another role and give these users that role.

A feature to prevent an account from being viewed is not provided by this module.

A feature to prevent an user from editing its own account is requested in #1172518: Users should NOT always be able to access their own edit page. Also, this feature will be added to the Drupal 8 version of User protect.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.