Access denied to my userpoints
dendie - October 22, 2009 - 12:31
| Project: | User Points |
| Version: | 6.x-1.1 |
| Component: | Code: userpoints_basic |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
Description
A user who has the "view own userpoints" permission has no access to his userpoint list (site/myuserpoints). This is because of the lines 1686 - 1690 in userpoints.module.
<?php
...
if(!user_access(USERPOINTS_PERM_VIEW)) {
// User has no access to view points
drupal_access_denied();
return;
}
...
?>If i grant this user the required permission "view userpoints", he also is able to see the points of an other user, what is not the general idea.
Thanks,
dendie
#1
I think this patch fixes it
#2
#3
Actually, I think this part is not needed:
<?php// Check permissions
if(!user_access(USERPOINTS_PERM_VIEW)) {
// User has no access to view points
drupal_access_denied();
return;
}
?>
Because a user only needs the "view own" permission to view their own points.
So, the code would look like the patch which I am attaching a patch for you to test.
Please see if that works, and if it does, I will create a new stable release with it.
#4
With your patch only the owner can see the points. As admin I want also be able to see the points of other user. Furthermore I would like to give the permission to see all points to a specific role.
So I think the
<?phpuser_access(USERPOINTS_PERM_VIEW)
?>
ist needed, but not at this place.
#5
#6
The other thing is the code on line 178:
<?phpif ($user->uid === 1 || user_access('USERPOINTS_PERM_ADMIN')) {
return TRUE;
}
?>
I thik it should be:
<?phpif ($user->uid === 1 || user_access(USERPOINTS_PERM_ADMIN)) {
return TRUE;
}
?>
without the quotes.
#7
Actually I think the points of an other user shold not be accessible threw the path 'myuserpoints'. A better way would be the path 'user/%user/userpoints' or somthink like that.
Thanks
dendie
#8
Here is another patch. I fixed the single quote issue, and more importantly allowed access to *my* to only the user himself, or a user that has admin userpoints permission.
Please test this and let me know.
#9
Hello, thanks for the work. Unfortunately I will be able to test it only on wednesday but the code looks good.
#10
Post here when you test it. We can wait a few days.
#11
Hello kbahey,
I have tested it and discovered that the user needs to have the 'view userpoints' permissen when he wants to view only the own points.
Why don't you like my patch from comment #1. I think the access control should be like this:
'view own userpoints' - to view own userpoints
'view userpoints' - to view userpoints of other users
this two permissions should (could) be independent form each other.
userpoints_access_my_points should look like this:
<?php
function userpoints_access_my_points() {
global $user;
// User is uid 1, or has admin permission on userpoints
if ($user->uid === 1 || user_access(USERPOINTS_PERM_ADMIN)) {
return TRUE;
}
if (_userpoints_user_exists($user->uid)) {
// User does exist
if (user_is_logged_in() && (user_access(USERPOINTS_PERM_VIEW) || user_access(USERPOINTS_PERM_VIEW_OWN))) {
// User has access to view points
return TRUE;
}
}
}
?>
Furthermore I do not understand why you perform access-checks in the function userpoints_list_my_userpoints. At this point all the access-checks shoud allready be checked by the userpoints_access_my_points-function.
I suggest to use this patch.
Thanks
dendie
#12
userpoints-02.patch restores functionality that I need.
I need users (administrators) with the "view userpoints" permission to be able to view other user's transaction history for auditing purposes.
This patch worked for me.
Kevin
#13
#11 works for me too.
#14
+1 for the patch in #11 works as expected.....
#15
This is what hacks me off a bit about Drupal if I'm honest, NO ONE EVER puts things in laymens terms to help users that aren't familiar with things like php etc, now its totally great that this has a fix and I really want to use it but simply cant as I have no idea where to paste that code into my existing module due to a lack of knowledge with php.
Maybe someone with a bit of understanding can help us PHP "noobs" out a bit
#16
Hello lagerassassin,
the patch in #11 is nothing you can simply paste in the code. You have to apply this patch with a tool like eclipse. But it sounds like you are not a developer so I suggest to follow this http://drupal.org/patch/apply instuctions.
Regards,
dendie
#17
Here is the patched userpoints.module file which you can paste into the userpoints directory and test the patch (don't forget to rename it from userpoints.module.txt to userpoints.module)
#18
Thanks for your quick reply Dendie, no you are right I am not a developer and struggle with php, I just think its a shame because people like myself end up turning our backs on some great modules because it's so difficult to understand.
I will take a look at the video attached to the instruction link you provided but I dare say that this looks and sound just as difficult and I will probably just end up deleting a another module that I really wanted to use because I cant get it to work correctly :(
#19
WOW thanks, thats so much more the kind of thing us noobs need lol, thanks ever so much for your help and I will give it a try :)
#20
Ok, I don't know what I'm doing wrong, Ive enabled permissions for all users to see userpoints/list/all and added your patched userpoints.module and a fixed zip of userpoints_top_contributors and Im still getting the same damned page when an anon or registered user tries to access it
ACCESS DENIED
any ideas what I'm doing wrong?
#21
is it possible that the user has no points yet? I just tried it and got the access denied. Now I gave the user some points and now it works
#22
Thats not working, but to be honest all I need is the page userpoints/list/all to be accessible to everyone as I'm running a kind of league scoreboard thing, is there not a way to give permissions to every user? I just automatically assumed that would be possible when I downloaded this module :s
#23
You have to give the user the permission "view userpoints".
#24
This has been enabled all along :s
Thats why I don't understand
#25
Just for better understanding:
You gave the permission view userpoints to the authenticated user (not only the annonymous user) and a loged in user is not yet able to access the userpoints/list/all page?