On line 152:

   $admin = _administerusersbyrole_can_edit_user($account);
   $admin = !empty($admin) ? TRUE : user_access('administer users');
 
   $form['account']['name']['#access'] = ($register || ($user->uid == $account->uid && user_access('change own username')) || $admin);

It supposedly checks if the user has 'change own username' permission but $admin also checks if $user->uid == $account->uid so it's overriding the first part by giving everyone permission to their own username anyway. For my own use I changed it so even if $admin then it still checks that the user has the 'change own username' permission' (regardless of the user account they're editing). It's not pretty but it works for now.

$form['account']['name']['#access'] = ($register || ($admin && user_access('change own username')));
CommentFileSizeAuthor
#2 administerusersbyrole-2056591-2.patch899 bytesJelle_S
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

areikiera’s picture

areikiera CreditAttribution: areikiera commented
Priority: Normal » Major
Issue summary: View changes

Marking this as major, as overriding a core permission like this (granting access to the ability to change own username without explicit permission) seems like a pretty big deal.

Thanks for the fix nubeli! I'm not sure if it's the best approach for a fix or not either, but it worked for me!

Jelle_S’s picture

Jelle_S
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: Jelle_S commented
FileSize
administerusersbyrole-2056591-2.patch899 bytes

This patch fixes the issue

Jelle_S’s picture

Jelle_S
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: Jelle_S commented
Status: Active » Needs review
richH’s picture

richH CreditAttribution: richH commented

Hi,

I don't think that this patch works. However, If I replace

+ $form['account']['name']['#access'] = ($account->uid == $user->uid) ? $form['account']['name']['#access'] : $admin;

with

$form['account']['name']['#access'] = ($account->uid == $user->uid) ? user_access('change own username') : $admin;

I appear to get the result I want.

Just a short note on this module......
There appears to be a lot wrong with it which has been patched. I have just installed it and am struggling to get it all to work
- the user can change their own user name
- what is a user without any custom roles and a user with authenticated roles
- anonymous user makes no sense

It would be great if the maintainers would make a new release with all the patches which we can then test and get it finalised. Very useful concept, but not such a useful implementation at the moment.

Thanks
Rich

AdamPS’s picture

AdamPS CreditAttribution: AdamPS commented
Status: Needs review » Closed (works as designed)

I'm not clear that we are doing as per #1:

overriding a core permission like this (granting access to the ability to change own username without explicit permission) seems like a pretty big deal.

There is an explicit permission. The user has been given permissions "Edit users with role XX" for all the roles of his own user - hence he has permission to edit.

Similarly I believe (from reading the code - didn't actually try it) with Drupal core, any user with 'administer users' permission can change their own name regardless of 'change own username'.

Hope that makes sense.

PS @richH I'm a new maintainer and hoping to have a new release soon.