Home » Download » Modules » OpenID Attribute Exchange Implementation » Issues

Adding access checks to the user pages for persona

darren.ferguson - October 10, 2008 - 13:04
Project:OpenID Attribute Exchange Implementation
Version:6.x-2.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:reviewed & tested by the community
Description

The current implementation of the module has the access permissions set to TRUE so even users who are not authenticated into the site can look at a users page provided they have the correct url and user id to go too. They would also be able to update, create and delete personas from the system.

The attached patch for the module adds two checking functions.

The first is for viewing the personas and allows only the user or a site administrator to view the personas.

The second is purely for the user so they can create, delete, copy and modify their personas.

I did not think users would want site administrators playing with their personas hence only the user would be able to access this functionality for their account. If site administrators need access also, we can remove the second function and just utilize the first function.

Thoughts welcome regarding the patch.

AttachmentSize
openid_ax.module.patch2.67 KB
» Login or register to post comments

#1

darren.ferguson - October 10, 2008 - 17:31

Have updated the patch to also include the new menu hierarchy for the module. This does away with calls to functions that only call drupal_get_form and also adds the security permissions that were above.

Some paths have been altered and moved around for the menu tab and now the openid attribute exchange will default to the manage screen instead of the default persona.

I think the changes make the module easier on the UI, however if not let me know.

This will resolve the issue in http://drupal.org/node/312501 for the xrds portion which is included in this patch,
http://drupal.org/node/312320 the coding standards for drupal are being adhered too in this patch.
Respectfully,
Darren Ferguson

AttachmentSize
openid_ax.module.patch 4.85 KB
Login or register to post comments

#2

anarcat - March 21, 2009 - 21:52
Status:needs review» needs work

I have tried the latest patch and it seems broken: when I go to edit a persona, I end up in the profile edition form, not in a persona-looking edition form.

The patch does apply cleanly however.

Login or register to post comments

#3

anarcat - March 21, 2009 - 21:53
Status:needs work» reviewed & tested by the community

Otherwise the first patch is fine: I would suggest committing the first patch and opening a new issue on the UI improvements, which need work.

So I'm marking this reviewed & tested, but it must be clear that only the first patch should be committed, not the second.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.