hook_user doesn't check permissions
jredding - November 30, 2008 - 16:56
| Project: | User Points Top Contributors |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | jredding |
| Status: | needs review |
Description
Userpoints has two permissions; userpoints_perm_view and userpoints_perm_view_own (added in November, 2008). The hook_user doesn't check for either of these thus displaying the user's points regarding of the viewing user's permissions.
The attached patch corrects this thus requiring the viewer to have the "view userpoints" permission to see points for all users or the "view own userpoints" to see their userpoints.
This patch has not been tested.
| Attachment | Size |
|---|---|
| up_top_contrib_check_perms_hook_user.patch | 2.19 KB |