Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
When editing a user, if there is a field on the user profile form that is ajax enabled eg a file field, and that ajax is fired, the Assignable Roles field is not set correctly and essentially gets wiped on save.
I believe this is due to the use of menu_get_object() in _roleassign_form_alter(). If the form is going through an ajax submit the path is no longer /user/[uid]/921 resulting in NULL being returned for menu_get_object('user').
Suggested patch is attached
Comment | File | Size | Author |
---|---|---|---|
#4 | roleassign-ajax_related_bug-2796079-3.patch | 680 bytes | nicrodgers |
| |||
#4 | interdiff.txt | 574 bytes | nicrodgers |
#2 | roleassign-ajax_related_bug-2796079-1.patch | 644 bytes | tame4tex |
|
Comments
Comment #2
tame4tex CreditAttribution: tame4tex commentedComment #3
salvisPlease convince us that this is safe (as in not-open-for-tampering) -- it would turn critical if it weren't...
Comment #4
nicrodgersI was able to reproduce the same thing, and also found the same issue if you are on the path user/%user_category/edit/account.
I did a bit of research in to using #user, and I don't see any security issues with it - lots of core code uses the same approach. However, I did notice a comment in the user_profile_form() function saying that modules are encouraged to use $form_state['user'] instead of $form['#user']. See also #1267978: Clean up use of $form['#user']
So I've updated the patch to use $form_state['user'] instead.
Comment #6
salvisOk, thank you tame4tex and nicrodgers!