#154865: Add field to 'contact' node authors allowed Views to generate links users' contact forms. In render(), the access is first checked (correctly I think!) using http://api.drupal.org/api/function/_contact_user_tab_access, then an additional manual check is made that essentially duplicates that function call but gets it wrong in 2 instances:

1. _contact_user_tab_access() also checks for the 'administer users' permission: but Views will currently not let these users see the contact link
2. if the access callback for personal contact forms is modified (e.g. see #6 and #23 in #310895: Port Anonymous Contact to Drupal 6) then this does not get correctly picked up. Same problem will occur if #58224: Allow anonymous users access to a members personal contact form ever lands!

The solution seems to be simply to rely on _contact_user_tab_access() and to get rid of the 2nd, manual check.

The relevant bit of code from modules/contact/views_handler_field_contact_link.inc follows...

  function render($values) {
    global $user;
    $uid = $values->{$this->aliases['uid']};
    $account = user_load(array('uid' => $uid));
    
    // Check access when we pull up the user account so we know
    // if the user has made the contact page available.
    if (! _contact_user_tab_access($account)) {
      return;
    }
    if ($account !== FALSE && $account->contact && $user->uid > 0) {
      ...
CommentFileSizeAuthor
#3 contact_link_access.patch1.35 KBgpk
#4 contact_link_access.patch1.58 KBgpk
#2 contact_link_access.patch1.35 KBgpk
#1 contact_link_access.patch1.35 KBgpk

Comments

gpk’s picture

gpk commented
Status: Active » Needs review
StatusFileSize
new contact_link_access.patch1.35 KB

Now with patch. Includes a tiny bit of whitespace cleanup also.

gpk’s picture

gpk commented
StatusFileSize
new contact_link_access.patch1.35 KB

Oops, that did the opposite of what was required, hopefully with correct logic this time!

gpk’s picture

gpk commented
StatusFileSize
new contact_link_access.patch1.35 KB

Moral: test. Always test. :P

This one makes sure the anonymous user's contact form isn't shown ;) (that's probably a minor bug in _contact_user_tab_access() in the case where the current user has 'administer users' permission).

gpk’s picture

gpk commented
StatusFileSize
new contact_link_access.patch1.58 KB

OK let's see if we can actually supply a new patch..

:D

merlinofchaos’s picture

merlinofchaos commented

Hmm. I don't remember this code at all. Must've committed somebody else's patch.

If we're going to be fixing this code, that link needs to be updated to use the newer link rendering code, where link data is placed in the options['alter'] array so that link rewriting can be used. I guess it's not a *requirement* for this patch to go in, but I'd like to see it. =)

gpk’s picture

gpk commented

Tx for reply, yes the original patch is at #13 in #154865: Add field to 'contact' node authors.

If you can point me to an example of what needs to be done I could have a go .. presumably you are suggesting that code needs to be added to option_definition() .. I'm not quite sure what needs to go into $options['alter'], or how it relates to the return value of render()....?

gpk’s picture

gpk commented

I've posted a patch for the minor bug I mentioned in #3 above at #525504: Anonymous user should not have contact form.

merlinofchaos’s picture

merlinofchaos commented
Status: Needs review » Fixed

Hm. Changed my mind about the linking comment anyhow. Committed! WEll I changed it up a bit, but I tested it and it appears to work.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

gpk’s picture

gpk commented

Great, thanks!

Note that in this line

if (!_contact_user_tab_access($account) || empty($account->contact)) {

the 2nd check is superfluous since it already done in http://api.drupal.org/api/function/_contact_user_tab_access/6 or http://api.drupal.org/api/function/_contact_personal_tab_access/7.

Also #525504: Anonymous user should not have contact form has been committed to 7.x and is RTBC to 6.x, but IMO need to leave the test for empty($uid) in Views 6.x at least.

hellomobe’s picture

hellomobe commented
Status: Closed (fixed) » Active

I'm using the contact link in a views block. It shows up in the administrator role, but not for any other roles. Am I missing a permissions requirement? The users have "allow for the contact form" enabled. I thought it was perhaps because users on my site don't have access to each other's user/uid page, but that's not the issue as far as I tested. What am I missing?

My version for this handler file is 9/21/2009.

dawehner’s picture

dawehner
Primary language German
commented

Are you sure that the account variable has set $account->contact?

I guess it is empty for you so _contact_user_tab_access returns false for you.

function _contact_user_tab_access($account) {
  global $user;
  if (!isset($account->contact)) {
    $account->contact = FALSE;
  }
  return
    $account && $user->uid &&
    (
      ($user->uid != $account->uid && $account->contact) ||
      user_access('administer users')
    );
}
hellomobe’s picture

hellomobe commented

Thank you for your response -- you're right, it isn't a views issue (sorry). It was blocked after all because users couldn't access the user profile page (default personal contact form). I'll create a new contact form to fix it.

merlinofchaos’s picture

merlinofchaos commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.