Helo,
I've create a custom block with contain simple html link to other page, I set visibility for anonymous users only. But after I login, the insert_block filter still render the block and visible to authenticated user. I try to set PHP block visibility with use !$user->uid as return TRUE value and set permission to anonym to use PHP block visibility permission, but with no luck, the block still rendered when i login. But when the block I try to put on left sidebar, it's working normaly.
Any advice? I'm just web designer with no experiences with module development.
Thank you.
Comment | File | Size | Author |
---|---|---|---|
#1 | insert_block-add-role-checking.patch | 3.85 KB | Alan D. |
Issue fork insert_block-1227982
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
Alan D. CreditAttribution: Alan D. commentedIncreasing to major as it could be considered a security hole bypassing what most users see as a restriction that is bypassed.
The following patch adds a role setting to the filter, allow you to decide if you want to enforce the role checking. I think that the other filters are pointless as the user preference is optional restriction, and page settings are pointless when embedding in content.
Comment #2
mlsamuelson CreditAttribution: mlsamuelson commentedAw, you are right Alan. I should have noticed the importance of this limitation of the module. My bad. An initial visual review of your patch looks good. I'll see if I can carve out the time to test it this week, and roll out updates for both Insert Block 7.x and 6.x.
In the meanwhile, due to this consideration, I've added a security note to the module description. We went through something similar with the Insert View module a few months back, and that was the recommendation of the security team, so I want to do right here, too.
Comment #3
mlsamuelson CreditAttribution: mlsamuelson commentedTested the patch. Works great. Committed to 7.x-1.x branch.
Taking a cue from Alan D.'s patch, I was able to implement an identical (in the UI, at least) update for the 6.x-1.x branch. Committed.
Thanks Alan D.!
Comment #4
Alan D. CreditAttribution: Alan D. commentedGlad to help :)
Comment #8
ronek88 CreditAttribution: ronek88 commentedhow to patch it ? please help.. Can I patch it with netbeans ?
Comment #9
Alan D. CreditAttribution: Alan D. commentedDo u mean 6.x version? If not all of the current versions should have this now.
Comment #10
ronek88 CreditAttribution: ronek88 commentedI mean 7.x version.., but block role permission setting not work for me.. or I need some special setting for it ? It is not enought if I set block roles to setting of block?
Comment #11
akozoriz CreditAttribution: akozoriz as a volunteer and at axweb.sk, Drupal Ukraine Community commentedThis feature isn't implemented in 8.x version. Work in progress.
Comment #15
alextarsComment #16
akozoriz CreditAttribution: akozoriz as a volunteer and at axweb.sk, Drupal Ukraine Community commented