Download & Extend
Content Management Filter » Issues

User autocomplete also requires 'access user profiles' permission

Posted by pips1 on June 25, 2009 at 12:12pm
Project:Content Management Filter
Version:6.x-1.7
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

AJAX search by author name works fine as superuser (user/1) and other roles I defined.

However, AJAX search by author name doesn't work for any role that doesn't have the permission 'admin cmf module'. By comparison, the 'search by author list' works just fine for that role.

I would have expected that users can use both 'search by author list' and 'search by author name' equally, as long as they have the permissions 'view user content list' and 'filter and manage site content'.

On a side note, this made me wonder what the permission 'admin cmf module' is used for in the first place. See separate support request: #501900.

Login or register to post comments

Comments

#1

Posted by NancyDru on July 16, 2009 at 4:25pm
Status:active» postponed (maintainer needs more info)

The latest -dev code no longer has 'admin cmf module' and I am unable to reproduce this problem. If you can, please, confirm that this is no longer an issue, then mark this issue "fixed."

#2

Posted by pips1 on July 27, 2009 at 3:23pm
Version:6.x-1.6» 6.x-1.7

I see that 'admin cmf module' is now gone in permissions. Ok, fine, if that didn't do anything in the first place. :-)

However, the "live search" (AJAX search) for 'title/subject' (new feature of 6.x-1.7) and 'user name' still only works for the superuser (/user/1). For any other (custom created) role, I don't get any available node titles / user names listed by the live search...

For comparison, I tested the live search of the cck nodereference with those roles, and the live search works just fine.

Can anyone reproduce this at all?

#3

Posted by pips1 on July 27, 2009 at 3:24pm
Title:AJAX search by author name doesn't work without permission 'admin cmf module' ?» Live search (AJAX search) by 'title/subject' and 'author name' doesn't work for roles other than superuser

#4

Posted by pips1 on July 27, 2009 at 3:34pm
Title:Live search (AJAX search) by 'title/subject' and 'author name' doesn't work for roles other than superuser» Live search (AJAX search) by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser

I just discovered that live search for 'title/subject' (new feature of 6.x-1.7) doesn't work with the superuser role either.

(However, the 'user name' works for the superuser).

#5

Posted by NancyDru on July 27, 2009 at 6:37pm

Here's a picture from my user/3 showing content selected with the "title/subject" filter. And I assure you that I tested it before committing it. BTW, I don't think the "title/subject" filter uses Ajax.

AttachmentSize
cmf_1.jpg 68 KB

#6

Posted by pips1 on July 27, 2009 at 8:17pm

Hi Nancy, thanks for looking into this. Please have a look a the two attached screenshots.

AttachmentSize
incremental-search_drupal-project-cmf-1.png 81.06 KB
incremental-search_drupal-project-cmf_role-site-architect-1.png 88.81 KB

#7

Posted by pips1 on July 27, 2009 at 8:18pm
Title:Live search (AJAX search) by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser» Incremental find by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser

#8

Posted by NancyDru on July 27, 2009 at 10:10pm

In order to use the user/autocomplete function, a user must have the 'access user profiles' permission. So, there are three ways to go here:

  1. Duplicate the user module's function within CMF, but with a different permission and hope this doesn't trigger a security issue.
  2. Skip that filter if that permission is not granted.
  3. Alter the user module menu to use either their permission or CMF's permission. There could be a huge security potential with this.

I sort of lean towards #2 because of potential security issues, but #1 would not be all that hard to accomplish. While #3 is not hard, I am very concerned about that.

The "title/subject" filter is not an autocomplete. You simply enter a string and the filter will find all nodes/comments with that string.

#9

Posted by NancyDru on July 27, 2009 at 10:09pm
Title:Incremental find by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser» User autocomplete also requires 'access user profiles' permission

Changing title.

#10

Posted by NancyDru on July 27, 2009 at 11:00pm
Status:postponed (maintainer needs more info)» patch (to be ported)

Fix committed to 6.x-1.x-dev. Will be ported to 5.x.

I went with option #1, which means that you will need to rebuild the menus (or clear cache).

#11

Posted by NancyDru on August 1, 2009 at 6:02pm
Status:patch (to be ported)» fixed

Committed to 5.x-1.x-dev

#12

Posted by NancyDru on August 1, 2009 at 6:30pm
Status:fixed» closed (fixed)