Download & Extend
Issues

Access failure after using personal contact form

Posted by aMakUzr on August 24, 2008 at 2:11am
Project:Drupal core
Version:7.x-dev
Component:contact.module
Category:bug report
Priority:normal
Assigned:Dave Reid
Status:needs work
Issue tags:needs backport to D5, needs backport to D6

Issue Summary

To replicate this issue:

  • set the permissions for the user module's "access user profiles" to be accessible to admins, only
  • log in as a non-admin user and set that user's profile to allow their "Personal contact form"
  • as that same non-admin user, post a comment to a forum, blog, whatever—i.e., ensure that there's a "contact the author" link available
  • log out and log in as a different non-admin user
  • use the aforementioned "contact the author" link to access that user's "Personal contact form" and send that user a message
  • observe that, when the message has been sent, you are sent to that user's profile page (i.e., the user whose "Personal contact form" you'd just used) but, since you don't have access that user's profile page, you receive a "whatever the site's configured to do with access-denied errors" page

It appears that, in contact.pages.inc

  // Back to the requested users profile page.
  $form_state['redirect'] = "user/$account->uid";

should first employ a permissions check and, if the target user's profile page is not accessible, use an alternate/accessible redirect.
Login or register to post comments

Comments

#1

Posted by Dave Reid on January 17, 2009 at 4:46pm
Status:active» closed (duplicate)

Will be fixed with #58224: Allow anonymous users access to a members personal contact form

#2

Posted by Dave Reid on January 17, 2009 at 4:55pm
Version:6.4» 7.x-dev
Assigned to:Anonymous» Dave Reid
Status:closed (duplicate)» active

Actually, I think I prefer to fix this separately. Assigning myself and marking back to active.

#3

Posted by Dave Reid on April 20, 2009 at 10:02pm
Status:active» needs review

Patch attached for review, including tests!

AttachmentSizeStatusTest resultOperations
299216-contact-redirect-access-denied-D7.patch4.71 KBIdleUnable to apply patch 299216-contact-redirect-access-denied-D7.patchView details | Re-test

#4

Posted by Dave Reid on April 21, 2009 at 5:21am
Status:needs review» needs work

For users without access user profiles permission, this should really redirect back to the homepage instead of staying on the contact form. This is what the site-wide contact form does in order to prevent confusion if the sent e-mail triggers flood control on the contact form. Will re-roll tomorrow.

#5

Posted by Dave Reid on April 26, 2009 at 11:14pm
Status:needs work» needs review

Revised patch that uses:

-  // Back to the requested users profile page.
-  $form_state['redirect'] = "user/$account->uid";
+  // Jump to home page or the user's profile rather than back to user's contact
+  // form to avoid contradictory messages if flood control has been activated.
+  $form_state['redirect'] = user_access('access user profiles') ? 'user/' . $account->uid : '';
AttachmentSizeStatusTest resultOperations
299216-contact-redirect-access-denied-D7.patch4.22 KBIdleFailed: Failed to apply patch.View details | Re-test

#6

Posted by System Message on May 12, 2009 at 6:15am
Status:needs review» needs work

The last submitted patch failed testing.

#7

Posted by Dave Reid on October 11, 2009 at 10:13pm

The fix part of this landed as a part of #601250: Allow anonymous users to use personal contact forms but should still have some tests written for it.