Biographies Editable by All Registered Users

I can confirm this behavior. Authenticated users have only "edit own bio", but still all authenticated users can edit anyone's bio page.

Update: geddon, are you using the nodeaccess module? I was, and had that miss-set. I had to set the bio node type to not have update access for auth users, but then the "edit own bio" permission still worked properly. It then worked as expected.

I can confirm this bug -- the user is presented with what appears to be an editable bio form for any bio they view -- while they can't actually save their edits, it is too confusing to use on a live site.

To reproduce the bug:

1. Log in as any user
2. Navigate to user/NNN/bio where NNN is the uid of a user that does NOT yet have a Bio
3. Notice that you are shown the Bio edit form when you probably shouldn't (unless you can administer nodes)

Patch is attached that fixes the bug. In hook_menu() it check to make sure that, on user/NNN/bio the logged-in user's uid is the same as NNN (or that the logged-in user can administer nodes).

See http://drupal.org/patch/apply if you need to apply the patch and don't know how.

Marc

-------
http://www.funnymonkey.com
Tools for Teachers

I don't know if this is a dupe or a related bug, but http://drupal.org/node/53371

Both should probably get applied, but I leave that to the maintainer.

Has this patch been reviewed? Without it, there are some serious usability issues with bio. This patch fixes these issues, and in the month since it's been posted, it has been used on at least 5 sites we've brought live with clients (ie, used by about 1K end users) with no issue.

committed.