When I create bio, I can edit the node through user/UID/bio. But at the same time it's also editable through node/NID/edit. This is not preferable since I use specific CSS to the form rendered by page-user.tpl. When it's accessible though normal page.tpl which doesn't include the custom CSS, the form looks different. Any customization lost and the user gets confused.

On the other hand and the worst part, anonymous users can still access the bio node through the node path (e.g: node/4), even though I don't allow them to access user profile. Is this a bug or the bio node is just a public node not intended to be restrictive by role?

Any workaround this? Thanks


drupaloSa’s picture

subscribing for anonymous access problem...

marcp’s picture

This feels like a bug, but it's hard to fix in a nice way in the bio module.

One workaround is to have a custom node-bio.tpl.php (if bio is the name of your bio type), and wrap the whole thing in a test on user_access('access user profiles'), like this:

if (user_access('access user profiles')) {
else {
  drupal_set_title(t('Access denied'));
  print t('You are not authorized to access this page.');

The code in the else portion is taken from drupal_access_denied() -- put whatever you want the denied user to see there.