I'm having a few problems with Profile2 permissions.
Basically when I change a user's permission so they cannot edit (any profile) (but can still view their own profile) their menu link in their block disappears additionally the user cannot access the page by the original URL.
Interestingly when I tried to test this with the Admin account and revoke their privileges to edit (and this includes removing the ability to 'Administer Profiles') I could still see the page and be able to edit it?
Please note I do not have caching enabled, I have cleared cache just incase in every instance and the permissions for the block that displays the menu are all correct.
Hope you can help as I really need to prevent authenticated users from editing certain Profiles.
| Comment | File | Size | Author |
|---|---|---|---|
| #9 | see_own_profile_page-1954290-9.patch | 585 bytes | crantok |
Comments
Comment #1
spessex commentedPlease also note I have rebuilt permissions.
Comment #2
spessex commentedPlease also note that you can view the authenticated user's page (once the edit permissions are removed and view is granted) if the user ID is entered into the URL. So for example:
http://localhost/path/path/profile-live_surveys will not work in this instance and will show a 403 page. However:
http://localhost/path/path/profile-live_surveys/352 will work and you can see the page. (But please note you can still not see the link).
Comment #3
spessex commentedI think this might need to be upgraded to priority 'major'?
Comment #4
spessex commentedPlease note from further investigation there definitely appears to be something not quite right with the way Profile2 translates a URL path/token. Considering the original problem whereby it is impossible for the user to only have a 'view' tab and no 'edit' tab I tried the following (see below to redirect a user if they click the edit tab of the profile) and noticed tokens only appear to work for the Administrator and will not work for any other user.
It's a bit of work-around the way I have tried to delve into the problem but to recreate please do the following:
1. Install 'Redirect' module;
2. Create a small bespoke module to allow the 'Redirect' to use tokens. Code below:
<?php
/**
* Implements hook_redirect_alter
*/
function ste_survey_edit_redirect_redirect_alter(&$redirect){
global $user;
// Only act if user token in redirect path
if(!empty($redirect->redirect) && strpos($redirect->redirect, 'user') !== FALSE){
if(!user_is_logged_in()){
// Bounce via login back to source path
$redirect->redirect = 'user/login';
$redirect->redirect_options['query'] = array('destination' => $redirect->source);
}else{
// Apply user tokens to redirect path
$redirect->redirect = token_replace($redirect->redirect, array('user' => $user));
}
}
}
3. Create two redirects in the 'Redirect' configuration window. (1) from profile-profile_name/317/edit (where 317 can be any user ID you have) redirecting to some other page and (2) profile-live_surveys/[profile2:user:uid]/edit redirecting to some other page aswell.
You should notice that (1)'s redirection - where the user ID is specifically identified - works and redirects. However (2) does not work for any user OTHER THAN ADMIN.
Comment #5
spessex commentedPlease also note in the example (2) above where the redirect works only for Administrator if you duplicate the Administrator role in permissions as expected this role does also work with example (2), however interestingly if you check the other authenticated user's access rights to mirror those of the administrators, example (2) does not work and he will not be re-directed like the administrator is (even though they have exactly the same access rights!?)
Comment #6
andy_g commentedI have exactly the same issue. It must be an incredibly common requirement to have certain profiles that are viewable and not maintainable; in my case, address and email ('contact' profile) must be viewable and editable, but Ranking Points ('Points' profile) must be only viewable and editable by the administrator.
Will do some further digging to see if I can find a solution.
cheers,
Andy
Comment #7
andy_g commentedThe best way I have found as a workaround is to use the Menu Token module to replace the missing menu. The permissions seem to work ok (as per the discussion on the parallel thread (http://drupal.org/node/1836322) and so it's more a question of replacing the missing menu with your own manual one.
Comment #8
spessex commentedHi Andy
I'm sure I tried this but couldn't get it to work. I'll give it another shot at some point. In the mean time I end up using 'Tab Tamer', although not a great solution basically it means I can maintain the usual permissions i.e. keep 'edit' but tell Tab Tamer to remove the 'Edit' tab for that particular page which kind of solves my issue but not very eloquently (I needed to hide 'edit' from all roles for that particular menu items, I'm not sure it would work if you needed to do it on a role basis).
Comment #9
crantok commentedPatch attached. Simplest possible fix: Instead of checking for "edit own..." it checks for "view own...".
This means no other permission that would normally be expected to grant the same thing will be respected, e.g "view any..." or "administer profiles". Will add a more comprehensive patch if I feel I have the time.
Comment #11
spleshkaThanks @crantok for the patch, I've commited it to 7.x-1.x. Personally I think no need to work on the enhancements of this permission, because a URL "/profile-name" should be visible only by currently logged in person. To view somebody else's profile we have "/profile-name/uid" page. So I'm happy to close the issue with the given patch.
Thanks everyone for the work.
Comment #12
spleshkaUpdating the issue metadata.