Download & Extend
Join role with password » Issues

Shouldn't be able to change other users role

Posted by snowbbdd on July 10, 2009 at 4:43am
Project:Join role with password
Version:6.x-1.x-dev
Component:User interface
Category:bug report
Priority:normal
Assigned:francoud
Status:closed (fixed)

Issue Summary

I love this module but when I was surfing around on my user accounts, I noticed that if I go to another users profile I can still see the join or leave role tab, and can edit it for them! I don't believe this should be possible. I think it just needs a simple patch so that only the user/owner of an account can view/change their role. Or if this was a chosen design please let me know.

Login or register to post comments

Comments

#1

Posted by snowbbdd on July 15, 2009 at 5:16pm
Title:Souldn't be able to change other users role» Shouldn't be able to change other users role
Status:active» needs review

Fixed my version, and hopefully this will be put in the next update.

Changed line 59 in join_role_with_password.module from
$items['user/%user/join_role'] = array(

to

$items['user/%user/edit/join_role'] = array(

and ran update.php

#2

Posted by francoud on August 3, 2009 at 3:37pm

As far as I can see, the module allows only the current user to join or leave a role.

If user nr. 2 goes to: /user/3/join_roles - he still affect only itself, no user 3's roles.

I agree is not elegant that user 2 can go to "/user/3/join_roles ". The correct url should be just
"/user/join_role", but it's just a matter of link visibility... i'll investigate furthermore.

#3

Posted by Leeteq on September 3, 2009 at 3:58pm
Priority:critical» normal

If the actual edits only affect the current user anyway, regardless of the URL, then setting this to normal, not critical. And if so, then the fix should be relatively easy?

#4

Posted by francoud on September 8, 2009 at 9:02am

Thanks for setting this bug from critical to normal. I didnt notice it.

I can confirm: /user/%whatever/join_role always affects only the "current" user.

Actually, I just want that the "Join or leave a role" item appear together with "view" and "edit" tabs for the "my account" menu; it should appear for the current user only, but if I use $items['user/%user/join_role'] in the hook_menu call, it appears for any user; putting it inside the "edit"
also will lead to misunderstanding (user/edit/%whatever/join_role will, again, only affect the current user).

Still searching for an elegant solution. Any suggestion will be appreciated ;)

#5

Posted by francoud on September 15, 2009 at 8:26am
Status:needs review» needs work

I tried solving the problem with this patch. "trick" was: moving the "join or leave a role" link from the original place (now u find under the "profile" link), and forcing the "right" url. I tried and seems working, but maybe somebody could test it further. I post the "patch" that should lead to module version 1.2-1. Still not committing it - needs more testing...

note: patch applies to version 6 only!!

AttachmentSize
join_role_with_password.module.1.2.1.patch 1.76 KB

#6

Posted by francoud on November 27, 2009 at 11:16am
Assigned to:Anonymous» francoud
Status:needs work» closed (fixed)

I didnt receive any comment, and my tests seem good. So i think u can use this patch if u need.

#7

Posted by Leeteq on November 30, 2009 at 10:42pm

Will the patch be committed?