Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
On line 152:
$admin = _administerusersbyrole_can_edit_user($account);
$admin = !empty($admin) ? TRUE : user_access('administer users');
$form['account']['name']['#access'] = ($register || ($user->uid == $account->uid && user_access('change own username')) || $admin);
It supposedly checks if the user has 'change own username' permission but $admin also checks if $user->uid == $account->uid so it's overriding the first part by giving everyone permission to their own username anyway. For my own use I changed it so even if $admin then it still checks that the user has the 'change own username' permission' (regardless of the user account they're editing). It's not pretty but it works for now.
$form['account']['name']['#access'] = ($register || ($admin && user_access('change own username')));
Comment | File | Size | Author |
---|---|---|---|
#2 | administerusersbyrole-2056591-2.patch | 899 bytes | Jelle_S |
Comments
Comment #1
areikiera CreditAttribution: areikiera commentedMarking this as major, as overriding a core permission like this (granting access to the ability to change own username without explicit permission) seems like a pretty big deal.
Thanks for the fix nubeli! I'm not sure if it's the best approach for a fix or not either, but it worked for me!
Comment #2
Jelle_SThis patch fixes the issue
Comment #3
Jelle_SComment #4
richH CreditAttribution: richH commentedHi,
I don't think that this patch works. However, If I replace
with
$form['account']['name']['#access'] = ($account->uid == $user->uid) ? user_access('change own username') : $admin;
I appear to get the result I want.
Just a short note on this module......
There appears to be a lot wrong with it which has been patched. I have just installed it and am struggling to get it all to work
- the user can change their own user name
- what is a user without any custom roles and a user with authenticated roles
- anonymous user makes no sense
It would be great if the maintainers would make a new release with all the patches which we can then test and get it finalised. Very useful concept, but not such a useful implementation at the moment.
Thanks
Rich
Comment #5
AdamPS CreditAttribution: AdamPS commentedI'm not clear that we are doing as per #1:
There is an explicit permission. The user has been given permissions "Edit users with role XX" for all the roles of his own user - hence he has permission to edit.
Similarly I believe (from reading the code - didn't actually try it) with Drupal core, any user with 'administer users' permission can change their own name regardless of 'change own username'.
Hope that makes sense.
PS @richH I'm a new maintainer and hoping to have a new release soon.