Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
It seems a little bit strange for me, so I would ask if this is by design or a bug: I setuped a view with a block with user profile and I also wanted to provide users with edit account link within that block. However, the links shows only when users have "administer users" permission which is rather a security hole (right?). My view is:
$view = new view;
$view->name = 'UserInfo';
$view->description = '';
$view->tag = '';
$view->view_php = '';
$view->base_table = 'users';
$view->is_cacheable = FALSE;
$view->api_version = 2;
$view->disabled = FALSE; /* Edit this to true to make a default view disabled initially */
$handler = $view->new_display('default', 'Defaults', 'default');
$handler->override_option('fields', array(
'uid' => array(
'label' => 'Uid',
'alter' => array(
'alter_text' => 0,
'text' => '',
'make_link' => 0,
'path' => '',
'link_class' => '',
'alt' => '',
'prefix' => '',
'suffix' => '',
'target' => '',
'help' => '',
'trim' => 0,
'max_length' => '',
'word_boundary' => 1,
'ellipsis' => 1,
'strip_tags' => 0,
'html' => 0,
),
'empty' => '',
'hide_empty' => 0,
'empty_zero' => 0,
'link_to_user' => 1,
'exclude' => 1,
'id' => 'uid',
'table' => 'users',
'field' => 'uid',
'relationship' => 'none',
),
'picture' => array(
'label' => '',
'alter' => array(
'alter_text' => 0,
'text' => '',
'make_link' => 0,
'path' => '',
'link_class' => '',
'alt' => '',
'prefix' => '',
'suffix' => '',
'target' => '',
'help' => '',
'trim' => 0,
'max_length' => '',
'word_boundary' => 1,
'ellipsis' => 1,
'strip_tags' => 0,
'html' => 0,
),
'empty' => '',
'hide_empty' => 1,
'empty_zero' => 0,
'exclude' => 0,
'id' => 'picture',
'table' => 'users',
'field' => 'picture',
'relationship' => 'none',
),
'value_1' => array(
'label' => '',
'alter' => array(
'alter_text' => 0,
'text' => '',
'make_link' => 0,
'path' => '',
'link_class' => '',
'alt' => '',
'prefix' => '',
'suffix' => '',
'target' => '',
'help' => '',
'trim' => 0,
'max_length' => '',
'word_boundary' => 1,
'ellipsis' => 1,
'strip_tags' => 0,
'html' => 0,
),
'empty' => '',
'hide_empty' => 1,
'empty_zero' => 0,
'exclude' => 0,
'id' => 'value_1',
'table' => 'profile_values_profile_aboutme',
'field' => 'value',
'relationship' => 'none',
),
'value_2' => array(
'label' => '',
'alter' => array(
'alter_text' => 0,
'text' => '',
'make_link' => 0,
'path' => '',
'link_class' => '',
'alt' => '',
'prefix' => '',
'suffix' => '',
'target' => '',
'help' => '',
'trim' => 0,
'max_length' => '',
'word_boundary' => 1,
'ellipsis' => 1,
'strip_tags' => 0,
'html' => 0,
),
'empty' => '',
'hide_empty' => 1,
'empty_zero' => 0,
'display_as_link' => 1,
'exclude' => 0,
'id' => 'value_2',
'table' => 'profile_values_profile_url',
'field' => 'value',
'relationship' => 'none',
),
'edit_node' => array(
'label' => '',
'alter' => array(
'alter_text' => 0,
'text' => '',
'make_link' => 0,
'path' => '',
'link_class' => '',
'alt' => '',
'prefix' => '',
'suffix' => '',
'target' => '',
'help' => '',
'trim' => 0,
'max_length' => '',
'word_boundary' => 1,
'ellipsis' => 1,
'strip_tags' => 0,
'html' => 0,
),
'empty' => 'EE',
'hide_empty' => 0,
'empty_zero' => 0,
'text' => 'Edytuj',
'exclude' => 0,
'id' => 'edit_node',
'table' => 'users',
'field' => 'edit_node',
'relationship' => 'none',
),
'delete_node' => array(
'label' => '',
'alter' => array(
'alter_text' => 0,
'text' => '',
'make_link' => 0,
'path' => '',
'link_class' => '',
'alt' => '',
'prefix' => '',
'suffix' => '',
'target' => '',
'help' => '',
'trim' => 0,
'max_length' => '',
'word_boundary' => 1,
'ellipsis' => 1,
'strip_tags' => 0,
'html' => 0,
),
'empty' => 'DD',
'hide_empty' => 0,
'empty_zero' => 0,
'text' => 'Usuń',
'exclude' => 0,
'id' => 'delete_node',
'table' => 'users',
'field' => 'delete_node',
'relationship' => 'none',
),
));
$handler->override_option('arguments', array(
'uid' => array(
'default_action' => 'default',
'style_plugin' => 'default_summary',
'style_options' => array(),
'wildcard' => 'all',
'wildcard_substitution' => 'All',
'title' => '',
'breadcrumb' => '',
'default_argument_type' => 'user',
'default_argument' => '',
'validate_type' => 'user',
'validate_fail' => 'not found',
'break_phrase' => 0,
'not' => 0,
'id' => 'uid',
'table' => 'users',
'field' => 'uid',
'validate_user_argument_type' => 'uid',
'validate_user_roles' => array(
'2' => 2,
'3' => 0,
'15' => 0,
'5' => 0,
'13' => 0,
'6' => 0,
),
'relationship' => 'none',
'default_options_div_prefix' => '',
'default_argument_user' => 0,
'default_argument_fixed' => '',
'default_argument_php' => '',
'validate_argument_node_type' => array(
'webform' => 0,
'blog' => 0,
'article' => 0,
'book' => 0,
'news' => 0,
'page' => 0,
'partner' => 0,
'story' => 0,
),
'validate_argument_node_access' => 0,
'validate_argument_nid_type' => 'nid',
'validate_argument_vocabulary' => array(
'12' => 0,
'15' => 0,
'16' => 0,
),
'validate_argument_type' => 'tid',
'validate_argument_transform' => 0,
'validate_user_restrict_roles' => 1,
'validate_argument_php' => '',
),
));
$handler->override_option('access', array(
'type' => 'none',
));
$handler->override_option('cache', array(
'type' => 'none',
));
$handler->override_option('items_per_page', 1);
$handler->override_option('style_plugin', 'list');
$handler->override_option('style_options', array(
'grouping' => '',
'type' => 'ul',
));
$handler->override_option('row_options', array(
'inline' => array(
'edit_node' => 'edit_node',
'delete_node' => 'delete_node',
),
'separator' => '/',
'hide_empty' => 0,
));
$handler = $view->new_display('block', 'Blok', 'block_1');
$handler->override_option('block_description', '');
$handler->override_option('block_caching', -1);
Thank You for any tip!
Comment | File | Size | Author |
---|---|---|---|
#4 | views_handler_field_user_link_edit.inc_.patch | 918 bytes | mariusz.slonina |
#4 | views_handler_field_user_link_delete.inc_.patch | 932 bytes | mariusz.slonina |
#3 | 727304-user_edit_access.patch | 1011 bytes | dawehner |
Comments
Comment #1
merlinofchaos CreditAttribution: merlinofchaos commentedThe links are designed to only show up if a user has permission to use them. How is it a security hole if they show up when a user does not have permission to use them?
Comment #2
mariusz.slonina CreditAttribution: mariusz.slonina commentedThey don't show for an authenticated user which does not have "administer users" permission. I wanted to have something similar to default Drupal tabs on profile page -- for design reasons I simply do not show the tabs. So I tried to "move" tabs to "profile block". For logged-in user, on his "profile block", the links don't show up -- the user has permission to edit his own account, right? I agree, the user should not see edit links if does not have permission to use them (i.e. on "profile block" of other user). For node links it works great (I did similar "node block" for regular content types). I don't want to give regular user "administer users" permission to access edit links of his account, this permission is designed to be only for admins or so. Maybe I am missing something, I'll be grateful for any help:)
Comment #3
dawehnerIt would be possible to move the access from the access method to the render function. There it would be possible to check whether its the current user.
So please review the patch
Comment #4
mariusz.slonina CreditAttribution: mariusz.slonina commentedWell, it's almost ok:) However, user_edit_access() needs $account, not $uid. See attached patch. I did the same for delete link.
Comment #5
mariusz.slonina CreditAttribution: mariusz.slonina commentedForget about the delete patch. I've just realized it is not Drupal6 way...
Comment #6
dawehnerThe first patch looks fine.
Comment #7
merlinofchaos CreditAttribution: merlinofchaos commentedCommitted to all branches -- not the delete one, obviously. Users can't self-delete.