Hi,

There's a few kitten-killing "re-write permissions!" type issues floating around. I think they need to be broken in to separate, specific issues, so small patches can be provided and rolled in. Here's mine:

You can only set the permission to "add twitter accounts" ... so, for example, user 1 will add their Twitter account from user/1/edit/twitter ... but if they go directly to user/3/edit/twitter then they have access and can change *that* user's Twitter account details. Not ideal!

I propose this be split in to two permissions:

"add twitter accounts" (as is, no change to behaviour - this is a perm for site admins)
"add own twitter account" (only allows user to change *their* user/uid/edit/twitter page, not other's)

If I get chance, I'll put a patch in.

Comments

socialnicheguru’s picture

socialnicheguru commented

thanks for this.

i had no idea that is what the permissions meant.

I agree with this break out.

As it stands, I can't use it :( on this site.

steinmb’s picture

steinmb commented
Status: Active » Closed (fixed)

Most of this is fixed now, but there is a new security issue that you might join in on #1344952: Users with twitter global account access should not be able to delete account