Remove code containing user access controls from profile theme functions

patch still applies. Anyone care to review?

chx: $account is already in use and I didn't want to replace it ($account = user_load()) - or do you think that would be ok in this case?

updated with $account

The helper function in quetion, profile_view_field($user, $field)) , implements all of the access permission checks for the entire module's output. It does two things; it sees whether the current user is allowed to see the field, and it builds the standard output for the field. Building the ouput usually means calling functions like check_plain() or l().

The entire point of the patch can be seen here:

Before

  foreach ($fields as $field) {
    if ($value = profile_view_field($user, $field)) {
      $output .= " <div class=\"field\">$value</div>\n";
    }
  }

In this code, the profile_view_field($user, $field) call filters the $field array based on user permissions. It returns a non-themable, pre built piece of output called $value.

After

  foreach ($fields as $field) {
    if ($field->value) {
      $output .= " <div class=\"field\">$value</div>\n";
    }
  }

The $fields array has already been filtered using profile_view_field so that only the fields that the current user is allowed to see are in it.

What does a themer do with a theme function like this? In the first version, they take the $fields array and start extracting values from it to display the unthemable information as desired. Oops, user access goes out the window. In the second version, the themer extracts the same, unthemable information from the $fields array to display it as desired. No problems with access control.

People who were theming this using the current theme functions were ending up with broken permissions and were, as a result, re-programming them at the theme level and writing in the handbook and forums that PHPTemplate doesn't respect permissions.

PS why didn't your follow up send a mail to the devel-list, Dries?