When editing a user, if there is a field on the user profile form that is ajax enabled eg a file field, and that ajax is fired, the Assignable Roles field is not set correctly and essentially gets wiped on save.

I believe this is due to the use of menu_get_object() in _roleassign_form_alter(). If the form is going through an ajax submit the path is no longer /user/[uid]/921 resulting in NULL being returned for menu_get_object('user').

Suggested patch is attached

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

tame4tex created an issue. See original summary.

tame4tex’s picture

salvis’s picture

Priority: Critical » Major
Status: Active » Needs review

Please convince us that this is safe (as in not-open-for-tampering) -- it would turn critical if it weren't...

nicrodgers’s picture

I was able to reproduce the same thing, and also found the same issue if you are on the path user/%user_category/edit/account.

I did a bit of research in to using #user, and I don't see any security issues with it - lots of core code uses the same approach. However, I did notice a comment in the user_profile_form() function saying that modules are encouraged to use $form_state['user'] instead of $form['#user']. See also #1267978: Clean up use of $form['#user']

So I've updated the patch to use $form_state['user'] instead.

  • salvis committed 34a96f2 on 7.x-1.x
    Issue #2796079 by tame4tex, nicrodgers: Form ajax and Assignable roles...
salvis’s picture

Status: Needs review » Fixed

Ok, thank you tame4tex and nicrodgers!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.