At the moment there is no way to get fine-grained view/update/delete permissions on user profiles. It's possible to get relatively close using modules such as http://drupal.org/project/administerusersbyrole and http://drupal.org/project/profile_permission, but this doesn't go nearly far enough.

My own use case (which requires me to hack core) is described at http://drupal.org/node/546188. In short, the conditions that need to be met in order to be able to view/edit/delete a given user profile include relationships between users that have been defined by custom modules that I have written.

In short, what I think it needed here is a duplication of the excellent, highly flexible node access system that is in D6 and seems to have been taken wholesale into D7. A direct duplication should also cover any structural changes that are made to user profiles such as (gulp) user profiles as nodes.

Comments

amateescu’s picture

amateescu commented
Status: Active » Closed (duplicate)

The Profile module has been removed from D8 and hidden in D7 for new sites, so this issue doesn't make sense any more :)

Anyway, what you're describing should be handled in #627490: Generalize hook_node_access() and hook_node_grants() to hook_entity_*().