Lock the user Edit function
earnie - June 18, 2009 - 15:35
| Project: | LoginToboggan |
| Version: | 7.x-1.x-dev |
| Component: | User interface |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | won't fix |
Jump to:
Description
I would be best if the user Edit function were locked from unconfirmed users. It could be a permissions access item such as "change own username" would be used to control the lock.
#1
i'm not clear why this is a good idea. users in the pre-auth role should still have access to that section and the ability to edit whatever the pre-auth role has permission to edit.
what's your reasoning?
#2
The reasoning is for further spam control. Allowing a user to modify his profile before the user confirms could be a security risk. But I'm not up on what changes D7 has made to the user permissions interface with regard to the user's permissions.
#3
the only thing they can do at their edit page is edit the information there, which IMO doesn't qualify as spam. if another module exposes additional functionality there, then it should have permissions available to restrict access, and those should be leveraged for pre-auth users where appropriate.
again, this should be handled with permissions. if core exposes some security risk that can't be solved via restricted permissions, then the issue should be addressed in core.