? modules/syndication
Index: includes/form.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/form.inc,v
retrieving revision 1.289
diff -u -p -r1.289 form.inc
--- includes/form.inc	27 Sep 2008 19:47:42 -0000	1.289
+++ includes/form.inc	10 Oct 2008 07:01:15 -0000
@@ -2085,7 +2085,7 @@ function theme_textfield($element) {
   $extra = '';
   $output = '';
 
-  if ($element['#autocomplete_path']) {
+  if ($element['#autocomplete_path'] && menu_valid_path(array('link_path' => $element['#autocomplete_path']))) {
     drupal_add_js('misc/autocomplete.js');
     $class[] = 'form-autocomplete';
     $extra =  '<input class="autocomplete" type="hidden" id="' . $element['#id'] . '-autocomplete" value="' . check_url(url($element['#autocomplete_path'], array('absolute' => TRUE))) . '" disabled="disabled" />';
Index: modules/profile/profile.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/profile/profile.admin.inc,v
retrieving revision 1.12
diff -u -p -r1.12 profile.admin.inc
--- modules/profile/profile.admin.inc	21 Aug 2008 19:36:38 -0000	1.12
+++ modules/profile/profile.admin.inc	10 Oct 2008 07:01:15 -0000
@@ -269,6 +269,7 @@ Unless you know what you are doing, it i
   $form['fields']['autocomplete'] = array('#type' => 'checkbox',
     '#title' => t('Form will auto-complete while user is typing.'),
     '#default_value' => $edit['autocomplete'],
+    '#description' => t('For security, auto-complete will be disabled if the user does not have access to user profiles.'),
   );
   $form['fields']['required'] = array('#type' => 'checkbox',
     '#title' => t('The user must enter a value.'),
Index: modules/profile/profile.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/profile/profile.test,v
retrieving revision 1.6
diff -u -p -r1.6 profile.test
--- modules/profile/profile.test	5 Jun 2008 21:55:44 -0000	1.6
+++ modules/profile/profile.test	10 Oct 2008 07:01:15 -0000
@@ -248,13 +248,71 @@ class ProfileTestWeights extends Profile
   }
 }
 
+/**
+ * Test profile field autocompletion and access.
+ */
+class ProfileTestAutocomplete extends ProfileTestCase {
+
+  /**
+   * Implementation of getInfo().
+   */
+  function getInfo() {
+    return array(
+      'name' => t('Autocompletion'),
+      'description' => t('Test profile fields with autocompletion.'),
+      'group' => t('Profile')
+    );
+  }
+
+  /**
+   * Tests profile field autocompletion and access.
+   */
+  function testAutocomplete() {
+    $this->drupalLogin($this->admin_user);
+
+    // Create a new profile field with autocompletion enabled.
+    $category = $this->randomName();
+    $field = $this->createProfileField('textfield', $category, array('weight' => 1, 'autocomplete' => 1));
+
+    // Enter profile field value.
+    $field['value'] = $this->randomName();
+    $this->setProfileField($field, $field['value']);
+
+    // Set some html for what we want to see in the page output later.
+    $autocomplete_html = '<input class="autocomplete" type="hidden" id="' . form_clean_id('edit-' . $field['form_name'] . '-autocomplete') . '" value="' . url('profile/autocomplete/' . $field['fid'], array('absolute' => TRUE)) . '" disabled="disabled" />';
+    $field_html = '<input type="text" maxlength="255" name="' . $field['form_name'] . '" id="'. form_clean_id('edit-' . $field['form_name']) . '" size="60" value="' . $field['value'] . '" class="form-text form-autocomplete required" />';
+
+    // Check that autocompletion html is found on the user's profile edit page.
+    $this->drupalGet('user/' . $this->admin_user->uid . '/edit/' . $category);
+    $this->assertRaw($autocomplete_html, t('Autocomplete found.'));
+    $this->assertRaw('misc/autocomplete.js', t('Autocomplete JavaScript found.'));
+    $this->assertRaw('class="form-text form-autocomplete"', t('Autocomplete form element class found.'));
+
+    // Check the autocompletion path using the first letter of our user's profile
+    // field value to make sure access is allowed and a valid result if found.
+    $this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]);
+    $this->assertResponse(200, t('Autocomplete path allowed to user with permission.'));
+    $this->assertRaw($field['value'], t('Autocomplete value found.'));
+
+    // Logout and login with a user without the 'access user profiles' permission.
+    $this->drupalLogout();
+    $this->drupalLogin($this->normal_user);
+
+    // Check that autocompletion html is not found on the user's profile edit page.
+    $this->drupalGet('user/' . $this->normal_user->uid . '/edit/' . $category);
+    $this->assertNoRaw($autocomplete_html, t('Autocomplete not found.'));
+
+    // User should be denied access to the profile autocomplete path.
+    $this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]);
+    $this->assertResponse(403, t('Autocomplete path denied to user without permission.'));
+  }
+}
+
   /**
    * TODO:
    * - Test field visibility
    * - Test profile browsing
-   * - Test autocomplete
    * - Test required fields
    * - Test fields on registration form
    * - Test updating fields
    */
-
Index: modules/user/user.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.test,v
retrieving revision 1.16
diff -u -p -r1.16 user.test
--- modules/user/user.test	1 Oct 2008 00:54:43 -0000	1.16
+++ modules/user/user.test	10 Oct 2008 07:01:16 -0000
@@ -523,3 +523,50 @@ class UserAdminTestCase extends DrupalWe
     $this->assertEqual($account->status, 0, 'User B blocked');
   }
 }
+
+/**
+ * Test user autocompletion.
+ */
+class UserAutocompleteTestCase extends DrupalWebTestCase {
+
+  /**
+   * Implementation of getInfo().
+   */
+  function getInfo() {
+    return array(
+      'name' => t('User autocompletion'),
+      'description' => t('Test user autocompletion functionality.'),
+      'group' => t('User')
+    );
+  }
+
+  /**
+   * Implementation of setUp().
+   */
+  function setUp() {
+    parent::setUp();
+
+    // Set up two users with different permissions to test access.
+    $this->unprivileged_user = $this->drupalCreateUser();
+    $this->privileged_user = $this->drupalCreateUser(array('access user profiles'));
+  }
+
+  /**
+   * Tests access to user autocompletion and verify the correct results.
+   */
+  function testUserAutocomplete() {
+    // Check access from unprivileged user, should be denied.
+    $this->drupalLogin($this->unprivileged_user);
+    $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
+    $this->assertResponse(403, t('Autocompletion access denied to user without permission.'));
+
+    // Check access from privileged user.
+    $this->drupalLogout();
+    $this->drupalLogin($this->privileged_user);
+    $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
+    $this->assertResponse(200, t('Autocompletion access allowed.'));
+
+    // Using first letter of the user's name, make sure the user's full name is in the results.
+    $this->assertRaw($this->unprivileged_user->name, t('User name found in autocompletion results.'));
+  }
+}