Posted by pwrovchz on October 25, 2011 at 7:23pm
3 followers
| Project: | Vote Up/Down |
| Version: | 6.x-2.6 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
I searched to see if this was answered already, but didn't see anything on the intended behavior. It appears that in the latest release, any user that can access a user's profile can now also access that user's vote history. I found the thread where the change originated (http://drupal.org/node/1246392).
Should this...
<?php
function vud_can_see_votes($account) {
if ($account->status != 1) {
return user_view_access($account);
}
return user_access('access vote up/down statistics') || user_view_access($account);
}
?>Be this...
<?php
function vud_can_see_votes($account) {
if ($account->status != 1) {
return user_view_access($account);
}
return user_access('access vote up/down statistics') || user_access('administer users');
}
?>I guess you could add an additional check allowing users to view their own vote page if that is desired.
<?php
function vud_can_see_votes($account) {
global $user;
if ($account->status != 1) {
return user_view_access($account);
}
return user_access('access vote up/down statistics') || user_access('administer users') || ($user->uid == $account->uid);
}
?>
Comments
#1
Thanks for reporting :-)
Reviewing in detail the code of user_view_access(), I see what you mean. Yes, there is a problem there since it allows access for people with 'access user profiles' permission to access what only 'access vote up/down statistics' permission enabled users should see.
So, here the patch I have pushed to 6.x-3.x and 6.x-2.x. It's not exactly what you wrote, and instead completely based on user_view_access() logic.
#2
Automatically closed -- issue fixed for 2 weeks with no activity.