If an anonymous user enters the following:
{mysite.com}/user/{any user number}

the entire profile listing is obtained for all fields except those marked as private. The only choices for privacy in profile.module are either private or two variations of public (shown in member list or not ... but always in profile list). Seems like there should be a control to specify the roles that can see the info for each field rather than merely public versus private.

I've marked this as a bug, and as critical because I'm guessing a lot of users won't realize the exposure of this information.

gil

Comments

Dublin Drupaller’s picture

Dublin Drupaller commented

bumping this...

killes@www.drop.org’s picture

killes@www.drop.org commented
Category: bug » feature

Duplicate http://drupal.org/node/1137

Dublin Drupaller’s picture

Dublin Drupaller commented

that duplicate link you posted goes to a patch for cvs...is there a patch for 4.5 as the original post was looking for ?

Or does the CVS patch apply?

Jason

killes@www.drop.org’s picture

killes@www.drop.org commented

One of the older patches in that issue might apply to 4.5.

Dublin Drupaller’s picture

Dublin Drupaller commented

Hi Killes,

Have trawled through those CSV patches and I can't make out what would apply and what wouldn't - I'm a newbie and was hoping I could spot something simple from the patches that could be applied to 4.5.

Any other tips or guidance. I would like to help, but, my skills are limited.

Jason

Dublin Drupaller’s picture

Dublin Drupaller commented

bumping this one...

killes@www.drop.org’s picture

killes@www.drop.org commented

Just try to apply one after another.

This one moght apply to 4.5.
http://drupal.org/files/issues/access_users_perm.patch

Capnj’s picture

Capnj commented

Is there a 4.5.1 version of this patch? Or can someone far more knowledgeable than I do a user.module and profile.module patched with this access control?

gil

Dublin Drupaller’s picture

Dublin Drupaller commented

Here's a fix I have come up with that works well with drupal 4.5.0.

http://drupal.org/node/13669#comment-22804

Hope it's of use to others...

Jason

Capnj’s picture

Capnj commented

Jason's fix works very nicely.
Thanks, Jason!

gil

Capnj’s picture

Capnj commented
Version: » 4.6.0
Category: feature » bug
Status: Active » Fixed

Marking this as fixed because at least for 4.6.x it's fixed.

Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)