Home » Download » Modules » Content Management Filter » Issues

User autocomplete also requires 'access user profiles' permission

pips1 - June 25, 2009 - 12:12
Project:Content Management Filter
Version:6.x-1.7
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed
Description

AJAX search by author name works fine as superuser (user/1) and other roles I defined.

However, AJAX search by author name doesn't work for any role that doesn't have the permission 'admin cmf module'. By comparison, the 'search by author list' works just fine for that role.

I would have expected that users can use both 'search by author list' and 'search by author name' equally, as long as they have the permissions 'view user content list' and 'filter and manage site content'.

On a side note, this made me wonder what the permission 'admin cmf module' is used for in the first place. See separate support request: #501900.

» Login or register to post comments

#1

NancyDru - July 16, 2009 - 16:25
Status:active» postponed (maintainer needs more info)

The latest -dev code no longer has 'admin cmf module' and I am unable to reproduce this problem. If you can, please, confirm that this is no longer an issue, then mark this issue "fixed."

Login or register to post comments

#2

pips1 - July 27, 2009 - 15:23
Version:6.x-1.6» 6.x-1.7

I see that 'admin cmf module' is now gone in permissions. Ok, fine, if that didn't do anything in the first place. :-)

However, the "live search" (AJAX search) for 'title/subject' (new feature of 6.x-1.7) and 'user name' still only works for the superuser (/user/1). For any other (custom created) role, I don't get any available node titles / user names listed by the live search...

For comparison, I tested the live search of the cck nodereference with those roles, and the live search works just fine.

Can anyone reproduce this at all?

Login or register to post comments

#3

pips1 - July 27, 2009 - 15:24
Title:AJAX search by author name doesn't work without permission 'admin cmf module' ?» Live search (AJAX search) by 'title/subject' and 'author name' doesn't work for roles other than superuser
Login or register to post comments

#4

pips1 - July 27, 2009 - 15:34
Title:Live search (AJAX search) by 'title/subject' and 'author name' doesn't work for roles other than superuser» Live search (AJAX search) by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser

I just discovered that live search for 'title/subject' (new feature of 6.x-1.7) doesn't work with the superuser role either.

(However, the 'user name' works for the superuser).

Login or register to post comments

#5

NancyDru - July 27, 2009 - 18:37

Here's a picture from my user/3 showing content selected with the "title/subject" filter. And I assure you that I tested it before committing it. BTW, I don't think the "title/subject" filter uses Ajax.

AttachmentSize
cmf_1.jpg 68 KB
Login or register to post comments

#6

pips1 - July 27, 2009 - 20:17

Hi Nancy, thanks for looking into this. Please have a look a the two attached screenshots.

AttachmentSize
incremental-search_drupal-project-cmf-1.png 81.06 KB
incremental-search_drupal-project-cmf_role-site-architect-1.png 88.81 KB
Login or register to post comments

#7

pips1 - July 27, 2009 - 20:18
Title:Live search (AJAX search) by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser» Incremental find by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser
Login or register to post comments

#8

NancyDru - July 27, 2009 - 22:10

In order to use the user/autocomplete function, a user must have the 'access user profiles' permission. So, there are three ways to go here:

  1. Duplicate the user module's function within CMF, but with a different permission and hope this doesn't trigger a security issue.
  2. Skip that filter if that permission is not granted.
  3. Alter the user module menu to use either their permission or CMF's permission. There could be a huge security potential with this.

I sort of lean towards #2 because of potential security issues, but #1 would not be all that hard to accomplish. While #3 is not hard, I am very concerned about that.

The "title/subject" filter is not an autocomplete. You simply enter a string and the filter will find all nodes/comments with that string.

Login or register to post comments

#9

NancyDru - July 27, 2009 - 22:09
Title:Incremental find by 'title/subject' doesn't work / by 'user name' doesn't work for roles other than superuser» User autocomplete also requires 'access user profiles' permission

Changing title.

Login or register to post comments

#10

NancyDru - July 27, 2009 - 23:00
Status:postponed (maintainer needs more info)» patch (to be ported)

Fix committed to 6.x-1.x-dev. Will be ported to 5.x.

I went with option #1, which means that you will need to rebuild the menus (or clear cache).

Login or register to post comments

#11

NancyDru - August 1, 2009 - 18:02
Status:patch (to be ported)» fixed

Committed to 5.x-1.x-dev

Login or register to post comments

#12

NancyDru - August 1, 2009 - 18:30
Status:fixed» closed
Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.