The solution for #1419506: User update resource allows name update without 'Change own username' permission only checks the permission for 'change own username'. A user resource accessed by an account with 'administer users' but not 'change own username' will receive '406 Not Acceptable: You are not allowed to change your username.'

IMO, a user with 'administer users' should be able to change any users username.

Comments

marcingy’s picture

Status: Active » Reviewed & tested by the community

This makes sense.

kylebrowning’s picture

Status: Reviewed & tested by the community » Closed (fixed)

Fixed and commited in both 6.x and 7.x and attributed to --author="jonathanhunt "

usonian’s picture

Status: Closed (fixed) » Active

I found my way to this issue because I was getting the 'You are not allowed to change your username' issue when trying to use the user update API method as a user that definitely has 'administer user' permissions.

Unless I'm misunderstanding the intended logic, shouldn't the call to user_access('administer user') permission be negated, so the logic goes like:

IF

the account name is set AND the account name does not equal the current user's name AND the current user does NOT have the 'change own username' permission,

OR

the current user does NOT have the 'administer users' permission

THEN

Return the 'You are not allowed to change your username' error.

kylebrowning’s picture

Status: Active » Closed (fixed)

usonian, fixed in dex for 6.x and 7.x

kevin.dutra’s picture

Version: 7.x-3.3 » 6.x-3.x-dev
Status: Closed (fixed) » Reviewed & tested by the community

This patch did not get correctly applied to 6.x-3.x. There's a set of parens missing, so it's currently

if (isset($account['name']) && $account['name'] != $user->name && !user_access('change own username') || user_access('administer users'))

but should be

if (isset($account['name']) && $account['name'] != $user->name && !(user_access('change own username') || user_access('administer users')))

Remarking as RTBC since it was already accepted.

kylebrowning’s picture

Status: Reviewed & tested by the community » Fixed

Woops, fixed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

frega’s picture

Version: 6.x-3.x-dev » 7.x-3.x-dev
Issue summary: View changes
Status: Closed (fixed) » Needs review
StatusFileSize
new711 bytes

Reopening this rather than #1419506: User update resource allows name update without 'Change own username' permission because this is more recent commit 614b94a7c08ee67adc557819b2a86c1d630a995e references this issue.

The name-change permission check is correct in the 6.x-3.x branch but it isn't correct in the 7.x-3.x branch.
6.x-3.x logic: services_error if name change and user has NOT ( either 'change own username' OR 'administer users' permission, i.e. neither )
7.x-3.x logic: services_error if name change and user has NOT ( 'change own username' OR NOT 'administer users' permission)

For 7.x-3.x the line reads:

git blame resources/user_resource.inc | grep 'change own username'
614b94a7 (Kyle Browning   2013-03-18 15:35:07 -0700 322)   if (isset($account['name']) && $account['name'] != $account_loaded->name && !(user_access('change own username') || !user_access('administer users'))) {

For 6.x-3.x accordingly:

git blame resources/user_resource.inc | grep 'change own username'
c0c689a8 (h3rj4n          2013-05-11 23:31:20 -0700 309)   if (isset($account['name']) && $account['name'] != $user->name && !(user_access('change own username') || user_access('administer users'))) {

Please find a micro patch attached - i know a test would be great :(

kylebrowning’s picture

StatusFileSize
new2.33 KB

Heres a patch with a test, if green, will commit

kylebrowning’s picture

Status: Needs review » Reviewed & tested by the community

green light!

kylebrowning’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.