Home » Download » Modules » Profile Privacy » Issues

Private profile fields are displayed in search

omnyx - August 22, 2008 - 13:39
Project:Profile Privacy
Version:5.x-1.1
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:postponed (maintainer needs more info)
Description

Even if a user decides to make a profile field private the information in that field is still displayed when searched.
maybe this should be filed against the search module?

it's a great module nonetheless. Thanks!

» Login or register to post comments

#1

omnyx - August 23, 2008 - 06:33

The problem is that the profileplus module (or any module that searches through user profiles) looks at the privacy values in the 'profile_fields' table and not the 'profile_privacy_values' table.

the search code is the following (for users that do not have 'user admin' privileges)

<?php
$sql = "FROM {users} u INNER JOIN {profile_values} pv ON u.uid = pv.uid INNER JOIN {profile_fields} pf ON pv.fid = pf.fid WHERE pv.value LIKE '%%%s%%' OR u.name LIKE '%%%s%%' AND pf.visibility IN (%d, %d) AND u.status = 1";
              $result = db_query('SELECT DISTINCT u.* '.$sql, $keywords[$j], $keywords[$j], PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS);
?>

I'm really bad with sql - do you have any ideas how I could join the tables or whatever to filter out fields for the users that declared them private? :D

thanks!

UPDATE:
This is the code that I used - seems to work:

<?php
$sql = "FROM {users} u INNER JOIN {profile_values} pv ON u.uid = pv.uid INNER JOIN {profile_fields} pf ON pv.fid = pf.fid LEFT OUTER JOIN {profile_privacy_values} ppv ON pv.fid = ppv.fid WHERE (ppv.private IS NULL OR (ppv.private=0 AND pv.uid=ppv.uid) OR (ppv.private=1 AND pv.uid!=ppv.uid)) AND (pv.value LIKE '%%%s%%' OR u.name LIKE '%%%s%%') AND (pf.visibility IN (%d, %d)) AND (u.status = 1)";
              $result = db_query('SELECT DISTINCT u.uid, u.name, u.mail, pf.fid, pf.title, pv.value '.$sql, $keywords[$j], $keywords[$j], PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS);
?>

Login or register to post comments

#2

coltrane - May 31, 2009 - 20:49
Status:active» postponed (maintainer needs more info)

@omnyx Since you're changing the query in profileplus module this issue should really be filed against it, but I can see how there needs to be some easy way to bridge that module (and any other module that displays profile data) with profile privacy. This is a sticky and larger problem, I'm postponing for now.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.