I've installed the module into Drupal 5.7 and activated it. I've got some moderator types who need access to user profile information (even the stuff marked as "private"), but I don't necessarily want them to be able to edit those users. The only way to give them access to everything was to turn on "Admin User" privileges. I installed this module as a way to control the access.

I've set it up as protecting the "authenticated user" role from all edits and delete. However, in testing, I've discovered that for whatever reason, it doesn't seem to be understanding that the user in question *is* the user - so they can't edit themselves. Which is loads of fun at account creation time, and they check on the link to login so they can set their password. :-) When clicking on that link, the user gets to view his profile page, but can't edit it - a big red box appears saying that the user is protected from all edits.

If I read the readme correctly, though, the user is supposed to be able to edit themselves. So I'm a bit puzzled here. Have I discovered a bug, or am I just setting something incorrectly?

CommentFileSizeAuthor
#1 up_user_edit.patch1.21 KBhunmonk
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hunmonk’s picture

Title: Users protected from themselves?? » Users should always be able to access their own edit page
Status: Active » Fixed
FileSize
1.21 KB

i've applied the attached patch to 5.x and 6.x, it fixes the problem you describe in my testing. please download the dev tarball tomorrow and test -- feel free to reopen if there are still issues.

davidg’s picture

Status: Fixed » Active

Thanks for the update; I've put it in place and done some testing.

I've reopened the issue, however, because I've discovered a bug with the fix.

One is that if I have the role (authenticated user) set to protect all edits and delete, when I have a user (test user created for this purpose) go to their edit page, the Username field doesn't appear under account settings. Also, I have the User Cancel module installed so that a user can delete themselves if they want to. With the protection in place, the Delete button is grayed out - they can't click it.

Now, I created a second test account and gave it the "site moderator" roll that I created with administer users permission. I set that roll also as protected against delete and all edits. When that user goes to edit its own account, the delete button is grayed out when I select "edit", and a green message at the top says that the user is "protected from the following editing operations: Username, deletion." The Username field *does* appear for that user, but is grayed out.

Looks like a tiny tweak might still be needed. :-)

davidg’s picture

Oh! Upon a further bit of testing, by turning off the protection for the authentication user roll, I just discovered that "normal" users don't normally see or have the option to change their username. Oops. :-) I guess I'm just too used to having that field visible while logged into the administrator account - didn't realize that regular users didn't see that field. Sorry about that!

But still, having the delete button available to users (when cancel user is installed) would be nice. Any chance that can be fixed?

hunmonk’s picture

Status: Active » Fixed

But still, having the delete button available to users (when cancel user is installed) would be nice. Any chance that can be fixed?

you'd need to open another issue for this, and preferrably provide a patch that's been tested as fixing the issue :)

davidg’s picture

I'm afraid I don't know the first thing about patching any of this. :-) But I'll open another incident for that issue, as you requested.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.