Download & Extend
Issues

Users should not be able to contact blocked users

Posted by hefox on September 24, 2009 at 1:36pm
Project:Drupal core
Version:7.x-dev
Component:contact.module
Category:bug report
Priority:minor
Assigned:Unassigned
Status:closed (fixed)
Issue tags:needs backport to D6, Needs tests

Issue Summary

The contact form of blocked users is still valid, but in general they can't sign on and thus can't disable their contact form.
I'd just change it

<?php
function _contact_user_tab_access($account) {
  global $user;
  if (!isset($account->contact) || empty($account->status)) { // here
    $account->contact = FALSE;
  }
  return
    $account && $user->uid &&
    (
      ($user->uid != $account->uid && $account->contact) ||
      user_access('administer users')
    );
}
?>

So administers can still use the blocked users contact form.
Another way to do it

<?php
function _contact_user_tab_access($account) {
  global $user;
  if (!isset($account->contact) || (empty($account->status) && empty(variable_get('blocked_contact',0)))) { // here
    $account->contact = FALSE;
  }
  return
    $account && $user->uid &&
    (
      ($user->uid != $account->uid && $account->contact) ||
      user_access('administer users')
    );
}
?>

with the blocked_contact being a setting somewhere to allow the current workflow, ie contact by anyone with contact permission of blocked user's profiles.

Also, this is also likely an issue with 7.x but I don't have a 7.x dev box or anything so can't see atm, thus I set it to 6.14. though.. http://api.drupal.org/api/function/_contact_personal_tab_access/7 . It's also not part of the last adding permission for personal contact form patch, ie. http://drupal.org/files/issues/58224.031.patch (http://drupal.org/node/58224).

I can make a patch but it'd be against 6-1.4.

Hope this isn't a duplicate issue; Searched 6.x&7.x for contact.module on words 'banned' and 'blocked'.

Login or register to post comments

Comments

#1

Posted by hefox on September 24, 2009 at 1:39pm
Title:Contact forum for blocked users» Contact form for blocked users

Oops u.u;;;

#2

Posted by Dave Reid on October 8, 2009 at 4:34pm
Title:Contact form for blocked users» Users should not be able to contact blocked users
Version:6.14» 7.x-dev
Category:feature request» bug report

Seems valid, although users with admin permissions should still be able to contact them. Bumping to a bug report and adding to my D7 list to get fixed there first.

#3

Posted by hefox on October 8, 2009 at 5:08pm

=)

(BTW, I have no idea if this has been fixed on d7 or if there's issues, but two related issues in d6
the contact forum enable checkbox on user_profile_form contains a link to user's contact forum despite not having access without 'administer users' to it, ie. $user->uid != $account->uid.
Default theme_username links to blocked user's accounts, despite general user's not having access to it; my guess is that may be fixed, since theme_username has changed greatly.).

#4

Posted by Dave Reid on October 8, 2009 at 5:11pm

@hefox: That issue is being dealt with in #345541: Link to contact form in user account and e-mails leads to 403..

#5

Posted by Dave Reid on October 9, 2009 at 3:44am

Waiting for the cleanups to the access function in #525504: Anonymous user should not have contact form to land before this.

#6

Posted by Dave Reid on October 9, 2009 at 10:22pm

Adding tags.

#8

Posted by bleen18 on January 12, 2010 at 7:54pm
Status:active» needs review

#525504: Anonymous user should not have contact form has landed ...

this patch should do the trick. Please to review

AttachmentSizeStatusTest resultOperations
contact_blocked_users.patch1001 bytesIdlePassed on all environments.View details

#9

Posted by Dave Reid on January 12, 2010 at 7:57pm

Can we add a small test for this to make sure regular users cannot access blocked user contact form but 'administer users' can?

#10

Posted by bleen18 on January 13, 2010 at 2:47am

same patch as #8 but with two new tests:

- admins can still contact blocked users
- normal folk cannot contact blocked users

Tests are not my forte, so please give them an extra glance

AttachmentSizeStatusTest resultOperations
contact_blocked_users.patch1.85 KBIdlePassed on all environments.View details

#11

Posted by Dries on January 13, 2010 at 2:11pm

Not sure this is valid. I can easily think of a use case where it would be good if blocked users could still be contacted.

#12

Posted by bleen18 on January 13, 2010 at 2:18pm

@Dries: by non-admins?

#13

Posted by Dave Reid on January 21, 2010 at 6:49pm
Status:needs review» needs work

+++ modules/contact/contact.test 13 Jan 2010 02:45:38 -0000
@@ -347,6 +347,20 @@ class ContactPersonalTestCase extends Dr
+    $this->contact_user = $this->drupalCreateUser();
+    $this->contact_user->status = 0;

I don't think this would actually persist? I think we would need to use user_save().

+++ modules/contact/contact.test 13 Jan 2010 02:45:38 -0000
@@ -347,6 +347,20 @@ class ContactPersonalTestCase extends Dr
+    $this->drupalLogin($this->admin_user);

$this->admin_user is already logged in, so we shouldn't need to re-login. Helps saves a step for tests.

Powered by Dreditor.

#14

Posted by bleen18 on January 22, 2010 at 1:16am
Status:needs work» needs review

how's about this

AttachmentSizeStatusTest resultOperations
contact_blocked_users.patch1.86 KBIdlePassed on all environments.View details

#15

Posted by Dave Reid on February 17, 2010 at 4:09am
Status:needs review» reviewed & tested by the community

Looks good, tested locally, and the bot likes. As expected, admin users can still contact blocked users, so it's a good fix.

#16

Posted by webchick on February 17, 2010 at 4:39am
Status:reviewed & tested by the community» fixed

Great, committed to HEAD!

#17

Posted by System Message on March 3, 2010 at 4:40am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here