By jxs2151 on

Not sure if I have something set incorrectly but an anonymous user can view profile information (i.e. /user/42).

I don't think this is a good thing and for the life of me cannot figure out how to eliminate this.

Comments

Dublin Drupaller’s picture

Dublin Drupaller commented

Hi jxz..

have noticed the same and am trying to find a solution.

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Steve Dondley’s picture

Steve Dondley commented

What kind of profile information are you seeing and what version of Drupal do you have?

Dublin Drupaller’s picture

Dublin Drupaller commented

I'm using drupal 4.5

Anyone can type in a path and any number to view a users profile...i.e.

drupalsite.com/?q=user/293

or

drupalsite.com/user/293

And it will display all the user details..including any profile fields setup.

As opposed to blogs for example...when anyone types in the following:

drupalsite.com/blog/293

It triggers the "YOU DON'T HAVE ACCESS TO VIEW THIS PAGE" message or default 403 page.

Hope that makes it clearer..

It was discussed at teh following link at length for the CVS version with patches..but I couldn't see a patch for 4.5

http://drupal.org/node/4166

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Steve Dondley’s picture

Steve Dondley commented

I assume you have the profile module enabled.

Some profile fields are public and some are private. For example, you should not see the e-mail address. Are you seeing fields that should be private? You can make the public ones private by changing the setting in 'admin/user/configure/profile'

Dublin Drupaller’s picture

Dublin Drupaller commented

Hi Nysus..

Some profile fields are public and some are private. For example, you should not see the e-mail address. Are you seeing fields that should be private? You can make the public ones private by changing the setting in 'admin/user/configure/profile'

Yep. profile.module is enabled. And I know about the public/private thing in admin/users/configure/profile.

To answer your question it is the "public" elements that are showing up. If you switch those fields to be "private" - only the administrator can see them.

beyond the profile fields showing...the user settings are showing to anonymous users..basically anyone.

To explain further..consider a drupal site where great lengths are made to restrict access to blogs, events, pages, stories and other node content...e.g. a private community area for members-only where members have to login to access the content..

with the current system, anyone outside that community can view a users profile - even though ACCESS USER LIST is disabled in the admin/users/configure/permissions page - by guessing that if they type in /user/number they can view member details. Where as if the same anonymous user guesses to type in /blog/number they get the access denied message.

Hope that makes sense...

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

media girl’s picture

media girl commented

This is a basic privacy feature for the various php forum progs, for example. For community-oriented websites, this would be a most essentially helpful feature.

An added plus would be to add role permissions to this access, so that access to the profiles could be limited (as in access to posts via taxonomy_access). But I realize this would be more involved. Implementing the basic privacy is higher priority, with or without permissions.

--
mediagirl.org

Dublin Drupaller’s picture

Dublin Drupaller commented

Hi Media girl..

i think the basic privacy has been overlooked in general with the user profile module..i.e. if someone tries the same with guessing blog/number or other content...it appears that the access denied privacy thing is covered.

In the admin-users-configure-permissions page..there is an option to enable/disable ACCESS USER LIST...but even if it is disabled for anonymous users...they can still view the user profiles.

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Steve Dondley’s picture

Steve Dondley commented

Where do you see the "ACCESS USER LIST"? Are you using the CVS version?

All an anonymous user sees on my site is "Blog: view recent blog entries" and "Member for: xxxx days".

Perhaps I upgraded my user.module to CVS? I don't remember now.

Dublin Drupaller’s picture

Dublin Drupaller commented

Hi nysus..

Sorry if I have confused...I'm using 4.5 and the user.module I am using is:

$Id: user.module,v 1.407.2.5 2004/11/23 21:52:43 dries Exp $

I can see ACCESS USER LIST just above ADMINISTER USERS in the ADMIN- USERS - CONFIG - PERMISSIONS page

Hope that helps..

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Steve Dondley’s picture

Steve Dondley commented

I don't have that permission. It appears I'm using an older version of the user.module however that dates back to October.

But I looked at the raw code of your version at http://cvs.drupal.org/viewcvs/*checkout*/drupal/drupal/modules/user.modu...
and couldn't find the permission there either.

At any rate, it doesn't look like I can be of any help since I don't have the same version, though.

jxs2151’s picture

jxs2151 commented

An anonymous user clicks a username, like what is presented in "Submitted by..." above a node. They can then see profile information and then can click a custom field like "Female" and get a listing of all female members (Ex: profile/gender/Female)

I think this is way too much info for an anonymous user to access.

--- www.thestevensons.org

Steve Dondley’s picture

Steve Dondley commented

I'm not sure I full understand the privacy concern but that's not really important.

I'd recommend putting in a feature request to the Drupal core's user module. Blocking user pages would be a very simple fix and it's just a matter of adding a new permission to the user module with 2 lines of code. See what the core developers think of the idea.

You can make feature requests here: http://drupal.org/project/issues. Put a link to this discussion in your request.

sepeck’s picture

sepeck commented

if you are refering to the configuration on drupal.org, that is set that way on purpose. Users only input the information they want to.

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

Dublin Drupaller’s picture

Dublin Drupaller commented

bumping this to see if anyone has come up with those 2 lines of code as mentioned by nysus.

Sorry if this is extremely simple to fix....but am a newbie...

Have submitted a feature request as nysus suggested.

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Mr Maggoo’s picture

Mr Maggoo commented

I've tried to solve this for my site.. and this code works:

function theme_user_profile($account, $fields) {
global $user;
if($user->uid) // check to see if the user is logged in
{
  $output = "<div class=\"profile\">\n";
  $output .= theme('user_picture', $account); // if so display the user account details
  foreach ($fields as $category => $value) {
    $output .= "<h2>$category</h2>$value";
  }
  $output .= "</div>\n";
}
else
{
// if the user is not logged in display a message
$output = "<div class=\"profile\">\n";
	$output .= "Sorry to view this you must <a href='?q=user/login'>log in<a>";
	 $output .= "</div>\n";
}
  return $output;
}

You have to overwrite your theme_user_profile function in user.module (starts on line 610) or comment it out and replace it with this.

Hope that helps.

Mr Maggoo

Dublin Drupaller’s picture

Dublin Drupaller commented

Thanks a million for that little gem...worked perfectly (Am using 4.5.0)

Cheers..

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Dublin Drupaller’s picture

Dublin Drupaller commented

Hiya..

Just noticed that when a logged in user tries to access the user list, it generates an error on my drupal after applying your snippet/patch...did u experience the same?

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Dublin Drupaller’s picture

Dublin Drupaller commented

Hiya Mr Maggoo

Have solved the problem by making two adjustments...(other users please note I am using drupal 4.5.0..I'm not sure if this works with other versions)

adjustment #1 adds in an extra field that shows up on the ADMINISTER - USERS - CONFIGURE - PERMISSIONS page and is simply an ACCESS USERS function where you can specify which roles have access to view the USER LIST and USER DETAILS.

A simple way of applying this change if you're (like me!) not very familiar with php is to open user.module in a text editor like NOTEPAD.EXE. Search for the following string function user_perm() and replace the lines you see in your user.module with this.

function user_perm() {
  return array('administer users', 'access users');
}

Adjustment #2 is the following replacement of the theme_user_profile function in USER.MODULE....very similar to your snippet..the only difference is Drupal looks to see if the user has ACCESS to view the user list/user profiles rather than if they are logged in.

A simple way of applying this change if you're (like me!) not very familiar with php is to open user.module in a text editor like NOTEPAD.EXE. Search for the following string theme_user_function and replace the lines you see in your user.module with this.

function theme_user_profile($account, $fields) {
global $user;
if (user_access('access users')) // check to see if the user has access
{
  $output = "<div class=\"profile\">\n";
  $output .= theme('user_picture', $account); // if so display the user account details
  foreach ($fields as $category => $value) {
    $output .= "<h2>$category</h2>$value";
  }
  $output .= "</div>\n";
}
else
{
// if the user is not logged in display a message
$output = "<div class=\"profile\">\n";
    $output .= "Sorry. You must <a href='?q=user/login'>LOGIN</a> to have access to view this 

page.";
     $output .= "</div>\n";
}
  return $output;
}

DON'T FORGET ! after applying this patch/ammendment to the user.module to go to ADMINISTER - USERS - CONFIGURE - PERMISSIONS to switch on the ACCESS USERS option for the appropriate user roles....

I hope that is of use to others...

Jason

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

tulula’s picture

tulula commented

I tried to email you, Jason (Dublin Drupaller), through your Drupal anonymous contact info about this with no response... maybe it went out to no-return-ville? :)

Anyway, I did your suggested changes above and now all users who do not have access users permission checked for their role are now not able to view their own user account profile information. The only way they can see their profile information is when I check the permission for "access users" which wasn't the initial goal when attempting this manual change.
I've triple checked all spelling to this adjustment too... HELP! :)

I'm running 4.5...

Lisa

Dublin Drupaller’s picture

Dublin Drupaller commented

A new permission field such as "EDIT OWN ACCOUNT" needs to be added to the module....have you sorted that or do you still need help with it?

Sorry tulula..I may have accidentally missed your email...have a bulletproof spam checker on my inbox which might have booted it.

Let me know if you haven't sorted out the problem...I might be able to help hack a solution for you.

Dub

___________________________________________________
A drupal user by chance and a dubliner by sheer luck.
Using Drupal to help build Artist & Band web communities.

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

tulula’s picture

tulula commented

Mr Maggoo's quick fix from early Dec's post, however that doesn't allow for permission setting like you were aiming at.

I'd be willing to try whatever attempt you might be able to come up with something?

Lisa

Dublin Drupaller’s picture

Dublin Drupaller commented

HI Tulula,

Tried emailing you using the contact form, but it bounced back...(have u changed your email address from tulula[at]telus.net?)

Anyway..would like to try and help with your user access problems...am I correct in thinking you would like the following:

a) Anonymous users & Authenticated Users cannot view user profiles (other than their own)

b) Authenticated Users or Users with a specific role can view/edit their own user profiles.

Is that correct?

Dub

___________________________________________________
A drupal user by chance and a dubliner by sheer luck.
Using Drupal to help build Artist & Band web communities.

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

tulula’s picture

tulula commented

I vote YES for both A) and B)

AND, just used the contact form to let you know that my email in the contact form was outdated! Just updated so I'm contactable there if that's workable for you! :)

Lisa

Dublin Drupaller’s picture

Dublin Drupaller commented

Hi Tulula,

Have sussed a solution for what you wanted....i.e.

A) Authenticated and anonymous users are NOT able to view other accounts.
b) Authenticated Users, with the correct permissions set, set ARE able to view their own and edit their own accounts.

To implement:

1. open up user.module in a text editor like notepad.exe

2. search for the "function user_perm" string and replace the line with the ammended version below:

function user_perm() {
  return array('administer users', 'access users', 'edit own account'); // change this line

3. Search for the "function theme_user_profile" string and change the lines to the following:

function theme_user_profile($account, $fields) {
global $user;
if ((user_access('access users')) || (($GLOBALS['user']->uid == $account->uid))  && (user_access('edit own account'))) // change this line

4. Save user.module and upload it to your /modules/ folder. (worth making a backup of the current version before you do that)

5. go to ADMINISTER -> USERS - > CONFIGURE ->PERMISSIONS

6. Toggle EDIT OWN ACCOUNT for the user roles you want.

Hope thats of use to you....

Dub

DUBLIN DRUPALLER
___________________________________________________
A drupal user by chance and a dubliner by sheer luck.
Using Drupal to help build Artist & Band web communities.

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

Bèr Kessels’s picture

Bèr Kessels commented

Please refer to http://drupal.org/node/4166.

And if this solved you problem, would you be so kind to report back that it helped? This will help others whom are looking for the same solution.

[Ber | Drupal Services webschuur.com]

tulula’s picture

tulula commented

Any patch out there for allowing users to select whether their infomation per field can be made private/public?

Lisa

Bèr Kessels’s picture

Bèr Kessels commented

But not for per-field permissions. That wouls not be a patch, but a new module. You wouldbe rewriting a part of the profile module. That is easy though, since you need no real complex stuff int here.
And if this solved you problem, would you be so kind to report back that it helped? This will help others whom are looking for the same solution.

[Ber | Drupal Services webschuur.com]