With a recent version upgrade I'm getting the CMF tab back on all user profiles (authenticated users). I have permissions set for admin only for "filter and manage" and the "view user content list" is unchecked for all roles (setting for admin only has the same effect, though). I've run update, rebuilt the permissions and cleared the cache with no change.

Is there some other setting that's adding the CMF tab for users that I haven't found?

I even upgraded to 6.x-2.x-dev hoping for a cure but still no change.

Comments

nancydru’s picture

Status: Active » Postponed (maintainer needs more info)

Are the users themselves seeing it, or is it the admin looking at them? The admin should see it, as should anyone else with 'access user profiles'. See #535590: Permission settings - per user/global/both.

XerraX’s picture

the users do see it

users with "access user profiles" should not see cmf tab, but users with "view user content list" or something similar should

Bernardine’s picture

Confirming ... users logged into their own accounts/views (non admins) have the CMF tab on their profile.

sharrison’s picture

Confirming ... users logged into their own accounts/views (non admins) have the CMF tab on their profile.

nancydru’s picture

This is very strange. On my sites, users with "view user content list" get the tab, others do not, unless they have "access user profiles."

sharrison’s picture

On my site, I have granted no permissions for the cmf module.

No one has permissions to filter and manage site content.

And no one has permission to view user content list.

But everyone's getting the tab.

Anonymous and authenticated users are all getting the tab.

Not sure what to do.

nancydru’s picture

Make sure that cmf.module starts with // $Id: cmf.module,v 1.2.2.19.2.2 2009/09/05 19:57:12 nancyw Exp $ for the latest code. If you have Devel, rebuild the menus, otherwise, clear the caches. Make sure they don't have "access user profiles."

XerraX’s picture

but you need "access user profiles" to see user profiles! CMF should not depend on this!

mark.’s picture

Priority: Normal » Critical

Same problem here, I have only enabled "filter and manage site content" & "view user content list" for "custom role", but CMF completely ignores the permissions for "view user content list". All anonymous visitors have access to the CMF tab on user profiles.

pasqualle’s picture

the tab is active for users with 'view user content list' or 'access user profiles' permission. It seems it is intentional by the module maintainers, but most users see this as a bug.
I also think it should be available for users with 'view user content list' AND 'access user profiles' permissions. Both permissions should be required.

mark.’s picture

Perhaps the maintainer would like us to believe that it is intentional and not a bug, but I have a hard time believing that.

If that is true, the maintainer is intentionally and severely reducing the usability of an otherwise, very usable module. It's awfully shortsighted to have this module interfere with the layout of every profile on a site (the primary content on many sites), without a choice.

...and I hardly view "if you don't want visitors to see the tab, then they can't see the profile at all!" as a choice.

However, if the permission "view user content list" actually granted that permission (regardless of which drupal core permission is, or isn't set), there would be no problem in the first place, which is why I have a hard time believing it was intentional.

*bonus reason: the permission is "access user profiles", not "access user profiles and access a tab that lists all of the content that the user has published", so I don't see any reason for a module developer to treat the permission as if it's name is the latter.

nancydru’s picture

@zywiec: It is this kind of attitude and name calling that makes maintainers close an issue as "won't fix" regardless of how egregious it is.

There are two facts you are overlooking from my posts:
1) The intent of adding in the "access user profiles" permission was to allow those with admin access (not just user/1) to view this tab. I maintain several sites where I am not user/1 but am expected to use this feature to limit spammer impact.
2) On my sites, this feature operates as intended and as people are asking for. In short, "I cannot reproduce this bug" so I have trouble fixing it.

nancydru’s picture

I reverted the access checking to what it was before and found that the user tab permission was backwards. I have committed a fix to 6.x-2.x-dev. It must be tested and marked RTBC before I will consider a new release.

nancydru’s picture

Status: Postponed (maintainer needs more info) » Needs review
pasqualle’s picture

the permission check for user cmf page should be:
user_access('access user profiles') && user_access('view user content list')

if you remove one of them then it makes an uncontrolled situation

problem with 6.x-2.x
permissions:
'access user profiles' - no
'view user content list' - yes

pages:
user/42 - no access
user/42/cmf - accessible

that does not seems right..

nancydru’s picture

With the fix I committed, 'view user content list' totally controls whether or not the user tab is shown. 'Access user profiles' is totally gone.

Bernardine’s picture

Resolved for me with 6.x-2.x-dev, thanks NancyDru.

XerraX’s picture

thanks for the fix :-) works!

nancydru’s picture

The next tester should mark this as "reviewed and tested by the community." There will not be an official release to correct it until it is.

sharrison’s picture

If installing the dev version isn't the same as "reviewing and testing by the community," please disregard this post.

I installed the new dev version and it works.

So, . . .

  • reviewed and tested by the community
nancydru’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

sharrison’s picture

HI, NancyDru.

I wanted to let you know that the visibility issue has cropped up for me again.

When I tested the module fix back in October, only people who had the "view user content list" _and_ view "access user profiles" could see the CMF tab on the profile page.

Yesterday, when I went through my site under an authenticated user alias that doesn't have the "view user content list" permission, I was able to see and use the CMF tab on all user profile pages.

So, the prior bug seems to be back.

At present, I'm running Content Management Filter 6.x-2.0 and Drupal 6.15.

Here to help,

Stan

pasqualle’s picture

the fix is not in the 6.x-2.0 release.
in 6.x-2.x release, only users with "view user content list" can access the CMF.

sharrison’s picture

Sorry about that. I must have set the module back to an earlier state without thinking.

My apologies.

And thank you very much for the quick help.

marcoka’s picture

i needed to rebuild permissions. so far, working here, too