Hi, a user informed me that as an anonymous user, they were able to see what points other users had. I thought it was interesting that despite having a permissions setting for the ability to send a user points (USER2USERPOINTS_PERM_SEND), this permission is not used to determine whether a person viewing another user's profile should be allowed to see that information.

I'd suggest that user2userpoints be configured this way, so that only users with the given permission are allowed to see what points a user has accrued. It's an easy fix:

user2userpoints.module, line 12. Change:

if ($op == 'view') {

to:

global $user;
if ($op == 'view' && user_access(USER2USERPOINTS_PERM_SEND, $user)) {

Thoughts?

Comments

berdir’s picture

berdir
Primary language German
Location Switzerland
commented

Sorry for spamming the participants in this issue. Due to the release of Drupal 7 and the lack of time from the maintainers, I'm closing all remaining 5.x issues for Userpoints.

Feel free to re-open this issue or create a new one for 6.x or even better 7.x if this bug is still open or feature is missing for these versions.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Status: Active » Closed (won't fix)