Userpoints has two permissions; userpoints_perm_view and userpoints_perm_view_own (added in November, 2008). The hook_user doesn't check for either of these thus displaying the user's points regarding of the viewing user's permissions.

The attached patch corrects this thus requiring the viewer to have the "view userpoints" permission to see points for all users or the "view own userpoints" to see their userpoints.

This patch has not been tested.

CommentFileSizeAuthor
up_top_contrib_check_perms_hook_user.patch2.19 KBjredding

Comments

kmillecam’s picture

kmillecam commented
Status: Needs review » Fixed

Committed to dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.