Hi,

Right now, you can have /user/%/friends (which will appear in a tab). You CAN also have /user/%/pending (list of people who are waiting the user's confirmation). However, it will be visible to _everybody_! This is clearly wrong. We need a Views plugin which will give access to a view only if that % == $user->uid (the logged in user).

That plug in right now doesn't exist. If it did, it would probably be added to the list of default plugins in Views.

Merlin kindly explained how to do it:

#305250: Restrict access to view if $user == % (first parameter)

This is not a specific issue with FriendList... it applies to any module that has a user-oriented view and wants to make that view available only to the "owner". However, I am leaving this here... just because I might actually give it a go..

Bye,

Merc.

Comments

mercmobily’s picture

mercmobily commented
Status: Active » Postponed

Hi,

This is postponed until #305250: Restrict access to view if $user == % (first parameter) is done.

Merc.

mercmobily’s picture

mercmobily commented

Hi,

In an IRC session, Merlin pointed this out:

http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/project_iss...

Thins to change according to MerlinOfChaos:

"The actual test; that one tests to see if the uid is empty, I think."

And to make it into a proper Views core patch:

"add an option in the options_form that is probably a radio that says "pass if the user is the user ID in the argument" and "fail if the user is the user ID in the argument". Or something along those lines.

Maybe I will give this another go. They really spoon-fed me this one...

Merc.