CMF tab appearing on user profile despite permissions
Bernardine - August 25, 2009 - 16:53
| Project: | Content Management Filter |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | support request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
With a recent version upgrade I'm getting the CMF tab back on all user profiles (authenticated users). I have permissions set for admin only for "filter and manage" and the "view user content list" is unchecked for all roles (setting for admin only has the same effect, though). I've run update, rebuilt the permissions and cleared the cache with no change.
Is there some other setting that's adding the CMF tab for users that I haven't found?
I even upgraded to 6.x-2.x-dev hoping for a cure but still no change.
#1
Are the users themselves seeing it, or is it the admin looking at them? The admin should see it, as should anyone else with 'access user profiles'. See #535590: Permission settings - per user/global/both.
#2
the users do see it
users with "access user profiles" should not see cmf tab, but users with "view user content list" or something similar should
#3
Confirming ... users logged into their own accounts/views (non admins) have the CMF tab on their profile.
#4
Confirming ... users logged into their own accounts/views (non admins) have the CMF tab on their profile.
#5
This is very strange. On my sites, users with "view user content list" get the tab, others do not, unless they have "access user profiles."
#6
On my site, I have granted no permissions for the cmf module.
No one has permissions to filter and manage site content.
And no one has permission to view user content list.
But everyone's getting the tab.
Anonymous and authenticated users are all getting the tab.
Not sure what to do.
#7
Make sure that cmf.module starts with
// $Id: cmf.module,v 1.2.2.19.2.2 2009/09/05 19:57:12 nancyw Exp $for the latest code. If you have Devel, rebuild the menus, otherwise, clear the caches. Make sure they don't have "access user profiles."#8
but you need "access user profiles" to see user profiles! CMF should not depend on this!
#9
Same problem here, I have only enabled "filter and manage site content" & "view user content list" for "custom role", but CMF completely ignores the permissions for "view user content list". All anonymous visitors have access to the CMF tab on user profiles.
At this point though, I suppose I should just be thankful that the module doesn't open up the admin/content/filter page for all anonymous visitors.
Is this going to be fixed? How can I get rid of the whole CMF tab functionality altogether? ...aside from deleting the module.
#10
the tab is active for users with 'view user content list' or 'access user profiles' permission. It seems it is intentional by the module maintainers, but most users see this as a bug.
I also think it should be available for users with 'view user content list' AND 'access user profiles' permissions. Both permissions should be required.
#11
Perhaps the maintainer would like us to believe that it is intentional and not a bug, but I have a hard time believing that.
If that is true, the maintainer is intentionally and severely reducing the usability of an otherwise, very usable module. It's awfully shortsighted to have this module interfere with the layout of every profile on a site (the primary content on many sites), without a choice.
...and I hardly view "if you don't want visitors to see the tab, then they can't see the profile at all!" as a choice.
However, if the permission "view user content list" actually granted that permission (regardless of which drupal core permission is, or isn't set), there would be no problem in the first place, which is why I have a hard time believing it was intentional.
*bonus reason: the permission is "access user profiles", not "access user profiles and access a tab that lists all of the content that the user has published", so I don't see any reason for a module developer to treat the permission as if it's name is the latter.
#12
@zywiec: It is this kind of attitude and name calling that makes maintainers close an issue as "won't fix" regardless of how egregious it is.
There are two facts you are overlooking from my posts:
1) The intent of adding in the "access user profiles" permission was to allow those with admin access (not just user/1) to view this tab. I maintain several sites where I am not user/1 but am expected to use this feature to limit spammer impact.
2) On my sites, this feature operates as intended and as people are asking for. In short, "I cannot reproduce this bug" so I have trouble fixing it.
#13
I reverted the access checking to what it was before and found that the user tab permission was backwards. I have committed a fix to 6.x-2.x-dev. It must be tested and marked RTBC before I will consider a new release.
#14
#15
the permission check for user cmf page should be:
user_access('access user profiles') && user_access('view user content list')
if you remove one of them then it makes an uncontrolled situation
problem with 6.x-2.x
permissions:
'access user profiles' - no
'view user content list' - yes
pages:
user/42 - no access
user/42/cmf - accessible
that does not seems right..
#16
With the fix I committed, 'view user content list' totally controls whether or not the user tab is shown. 'Access user profiles' is totally gone.
#17
Resolved for me with 6.x-2.x-dev, thanks NancyDru.
#18
thanks for the fix :-) works!
#19
The next tester should mark this as "reviewed and tested by the community." There will not be an official release to correct it until it is.
#20
If installing the dev version isn't the same as "reviewing and testing by the community," please disregard this post.
I installed the new dev version and it works.
So, . . .
#21
#22
Automatically closed -- issue fixed for 2 weeks with no activity.