Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Download tar.gz
20.65 KB
MD5: 4dc447fe8ca94c2bc3f2bbc6f897d28b
SHA-1: 43fa20b711b06bb83d8c46be447da8930650c3e7
SHA-256: c64bf8dd21018cb7c99220d3afed76bdc108da9fc940abf0f54c910deccada14
Download zip
25.79 KB
MD5: 9aadb1a26d17c18b0453f78d2f326f25
SHA-1: c80d6b73c9c8a111b41b93d4faea83d05a78566e
SHA-256: 3c053b0fb0ed884b768ae2c98fbd854dd81ab18d8c4359026c14eb370308b62c
Release notes
This release fixes a "Less Critical" security vulnerability: Users are able to view their own profiles on their user account page, regardless whether they have permission for it. For more details, see #1051550.
There is no official security announcement, as there is no stable release affected.
Changes since 7.x-1.0-beta2 (10 commits):
- #1168618 added a small profile2 OG access integration module for supporting group-level access permissions.
- renamed to Profile pages module to reflect it belongs to profile2.
- overhauled profile2_access() and introduced hook_profile2_access() so modules may alter access to profiles.
- #1149808 only deny field access for fields that have been marked as private.
- #1051550 Security: users always see their own profiles regardless of the permissions.
- fixed tests as follow-up from #1141552 and to run on a recent d7.
- #1065860 follow-up by ericbroder: delete profile data only on user account deletion.
- #1141552 patch by jide, ericbroder: Correct use of drupal_static in profile2_load_by_user().
- #1141106 by Amitaibu: Fixed incorrect foreign key in hook_schema().
- #1065860 by Countzero: Fixed profiles not deleted when user account is deleted.
Security update
New features
Bug fixes
