Helo,

I've create a custom block with contain simple html link to other page, I set visibility for anonymous users only. But after I login, the insert_block filter still render the block and visible to authenticated user. I try to set PHP block visibility with use !$user->uid as return TRUE value and set permission to anonym to use PHP block visibility permission, but with no luck, the block still rendered when i login. But when the block I try to put on left sidebar, it's working normaly.

Any advice? I'm just web designer with no experiences with module development.

Thank you.

CommentFileSizeAuthor
#1 insert_block-add-role-checking.patch3.85 KBAlan D.
Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Alan D.’s picture

Title: Something miss with block visibility » Block module visibility settings are bypassed.
Version: 6.x-1.x-dev » 7.x-1.x-dev
Priority: Normal » Major
FileSize
3.85 KB

Increasing to major as it could be considered a security hole bypassing what most users see as a restriction that is bypassed.

The following patch adds a role setting to the filter, allow you to decide if you want to enforce the role checking. I think that the other filters are pointless as the user preference is optional restriction, and page settings are pointless when embedding in content.

mlsamuelson’s picture

Aw, you are right Alan. I should have noticed the importance of this limitation of the module. My bad. An initial visual review of your patch looks good. I'll see if I can carve out the time to test it this week, and roll out updates for both Insert Block 7.x and 6.x.

In the meanwhile, due to this consideration, I've added a security note to the module description. We went through something similar with the Insert View module a few months back, and that was the recommendation of the security team, so I want to do right here, too.

mlsamuelson’s picture

Assigned: Unassigned » mlsamuelson
Status: Active » Fixed

Tested the patch. Works great. Committed to 7.x-1.x branch.

Taking a cue from Alan D.'s patch, I was able to implement an identical (in the UI, at least) update for the 6.x-1.x branch. Committed.

Thanks Alan D.!

Alan D.’s picture

Glad to help :)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 1be98b7 on 7.x-1.x, 8.x by mlsamuelson:
    Issue #1227982 by Alan D.: adding role checking option for insert block...

  • Commit 1be98b7 on 7.x-1.x, 8.x, 8.x-1.x by mlsamuelson:
    Issue #1227982 by Alan D.: adding role checking option for insert block...
ronek88’s picture

Issue summary: View changes

how to patch it ? please help.. Can I patch it with netbeans ?

Alan D.’s picture

Do u mean 6.x version? If not all of the current versions should have this now.

ronek88’s picture

I mean 7.x version.., but block role permission setting not work for me.. or I need some special setting for it ? It is not enought if I set block roles to setting of block?

akozoriz’s picture

Version: 7.x-1.x-dev » 8.x-1.x-dev
Assigned: mlsamuelson » Unassigned
Status: Closed (fixed) » Active

This feature isn't implemented in 8.x version. Work in progress.

alextars made their first commit to this issue’s fork.

  • alextars committed 7e7d8d2 on 8.x-1.x authored by akozoriz
    Issue #1227982 by akozoriz, Alan D.: Block module visibility settings...
alextars’s picture

Status: Active » Reviewed & tested by the community
akozoriz’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.