Problem/Motivation
username template does not render a hyperlink if it is for the current user and the current user does not have the 'access user profiles' permission.
Proposed resolution
Use $user->access('view')
instead of \Drupal::currentUser()->hasPermission('access user profiles')
when determining whether the current user can see the link.
Original report by boombatower
Seems a bit odd that if a user does not have the 'access user profiles' permission they do not get a link to their own username even though they have permission to view their own profile.
Issue fork drupal-1101958
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
boombatower CreditAttribution: boombatower commentedComment #2
boombatower CreditAttribution: boombatower commentedComment #3
boombatower CreditAttribution: boombatower commentedseems to have been missed by bot
Comment #4
Dave ReidMaybe we should just use something like
$variables['profile_access'] = drupal_valid_path('user/' . $account->uid);
since that handles anything that modifies access to the user path?Comment #5
boombatower CreditAttribution: boombatower commentedI mean this really leads down to user access API (or better yet entity access) which should allow a user access to itself.
Comment #6
drupalycious CreditAttribution: drupalycious commented#2: 1101958-theme-username.patch queued for re-testing.
Comment #7
drupalycious CreditAttribution: drupalycious commentedthis is what I am looking for since a while, will it be pushed to drupal core?
thanks
Comment #11
dpiConfirmed this is still an issue in 8.3.x, updated issue summary.
Comment #12
dpiComment #13
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedTransferring backport tag from duplicate issue (#2106589: template_preprocess_username() does not check access correctly when displaying a link to the user's own profile).
Comment #14
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented[removed duplicate comment]
Comment #15
dpiWrong access operation in sample code.
Comment #16
dpiComment #17
dpiUp for testing
For my reference: dpi/drupal/user-username-link-to-self-1101958
Comment #18
dpiRemoved a stray piece of text in issue summary
Comment #20
dpiTest failure due to bug fix.
Fixed some tests that made an assumption that username would be in a
<span>
. These tests were showing a[`#theme` => 'username']
to the current user. In this case, the logged in user had administer users, but not access user profiles, which meant it could not view its own profile link.Tests no longer assume username in a
<span>
. It will just get HTML inner-text.Edit: whoops wrong file suffix for interdiff.
Comment #22
dpiOutline of patch (#20)
Some of
template_preprocess_username()
was refactored:Removed
$external
and the Url object re-creation at the end of the function since we already have aUrl
object from the $account. There is no point in casting it to string then re-creating it.Tests
Includes testing.
Setting 'uid' explicitly to avoid installing {sequences}. Using uid=2 to avoid any special treatment that uid=1 gets.
Uploading test only patch.
Comment #24
dpiPatch #20 is ready for review
Comment #25
jibranCan't we use `$account->td[0]->a;`?
Comment #26
dpiNo, because it is a mix of tags.
Logged in as 'admin', administer users, no access user profiles:
The test shows a list of users:
It is much easier to get inner text (the username), than to check existence of both
td->span
andtd->a
<td><span>admin</span></td>
<td><a>admin</a></td>
<td><span>user2</span></td>
<td><span>user2</span></td>
<td><span>user3</span></td>
<td><span>user3</span></td>
Comment #38
borisson_The patch in #20 no longer applies, but the test only change in #22 does seem to make sense and provest that this change fixes the problem.
The test will also need updating to the latest standards as well.
Comment #39
ajaypratapsingh CreditAttribution: ajaypratapsingh at Srijan | A Material+ Company for Drupal India Association commentedI tried to re-roll the patch #22 against drupal 9.5.x, mainly considered the points of @borrisson_ mentioned in comment #38
Comment #41
borisson_Looks like the patch in #39 did not include the actual fix but only the "test-only" patch, needs to have the fix also.
Comment #42
Medha KumariReroll the patch #43 with Drupal 9.5.x .
Comment #44
smustgrave CreditAttribution: smustgrave at Mobomo commentedSeems #42 is doing the same as #39 and not including the fix.
Comment #46
smustgrave CreditAttribution: smustgrave at Mobomo commentedActually retesting this on D10.
Created an admin user and another userA
Using the Who's on block (edited it to be unrestricted)
UserA doesn't have the permission to "access user profiles"
When logged in as UserA the admin user is not hyperlinked but userA is.
So appears the issue has been resolved.