Hi Tony,

First, thanks for the module, it seems to be working well with the latest release for D6.

The Addresses tab is viewable for all users when you click on their profile (for authenticated users, not just admin). I.e. user creates new account, clicks on another user's profile, they can see the other users addresses under the address tab.

add/edit addresses -- set to authenticated users only
view all addresses -- all off (shouldn't this have disabled it?)
view default addresses -- all off

Ideally, not only should the tab not be visible, but also, if the user tries to type in /user/#/addresses, they should get the "access denied" page. Currently, they can manually access other user's addresses.

Right now, my only options are to turn off add/edit for everyone or to disable access to other user's profiles. Can you help?

Thanks,
Rachel

Comments

freixas’s picture

freixas commented
Assigned: Unassigned » freixas
Status: Active » Fixed

Thanks, Rachel,

Actually, you have a bug and I have a bug. When you enable the uc_addresses module, users can always add, edit and view their own addresses. Enabling add/edit addresses for authenticated users allows them to add/edit/view everyone's addresses.

Turning this off, however, won't fix the problem. This is because I was comparing apples and oranges—in this case, the logged in user's uid to the address owner's user object. I've modified the code to compare uid to uid.

The fix is checked in. Wait for a dev release dated 1/31/09 or later. Once you install the new release and disable add/edit for everyone except administrators, please report back and let me know if this fixed your problem so I can close the bug. Thanks.

RachelNY’s picture

RachelNY commented

I will let you know what happens after I install the new dev release.

In the meantime, the reason I enabled 'add/edit addresses' was that when it is disabled, the Addresses tab disappears for everyone except the Administrator. I can't even manually type in the url to get to the logged in user's address i.e. /user/#/addresses.

Any ideas why the user can not get to his own address info?

Thanks,
Rachel

freixas’s picture

freixas commented

Yes, I do have an idea.

As I said, you have a bug and I have a bug. Your bug is enabling the add/edit setting. My bug, the one I fixed, is in not letting the user add/edit his own address.

Clear?

RachelNY’s picture

RachelNY commented

Got it. Installed latest dev release. Confirmed that users can no longer access other user's addresses.

Thank you!
Rachel

freixas’s picture

freixas commented
Status: Fixed » Closed (fixed)

Thanks, Rachel.