Drupal core's contact module currently has a very strange all-or-nothing concept.
EITHER you allow people to contact your users, and allow them to use the side-wide form, OR you allow nothing.
It is not possible to allow people to only use the side-wide, or only to contact users.
This simple patch adds a lot of flexibility and power to the contact module.
It adds 'use site-wide contact' and 'use personal contact' permissions. You can imagine that by playing with these settings one can achieve very interesting concepts. E.G. allow only premium users, or administrators, to contact other users. Or swithc off the personal contact by not giving anyone access to that.
This patch also fixes something that smells like a security bug, but might be just a small bug. In the menu, we did not check wether or not someone has access to user profiles for the user/xyz/contact tab.
I fixed this by adding an additional user_access('access user profiles')
to that menu-item.
Bèr
Comment | File | Size | Author |
---|---|---|---|
#26 | contact_drupal-6.patch | 943 bytes | Andrew Gorokhovets |
#25 | contact_drupal-6.patch | 955 bytes | Andrew Gorokhovets |
#9 | contact.module.perms.patch_0.txt | 1.32 KB | Bèr Kessels |
#7 | contact.module.perms.patch.txt | 1.38 KB | Bèr Kessels |
user.module.perms.patch.txt | 1.22 KB | Bèr Kessels |
Comments
Comment #1
Bèr Kessels CreditAttribution: Bèr Kessels commentedComment #2
Bèr Kessels CreditAttribution: Bèr Kessels commentedhttp://drupal.org/node/35374 is related.
Comment #3
Bèr Kessels CreditAttribution: Bèr Kessels commentedalso related http://drupal.org/node/60483
Comment #4
Dries CreditAttribution: Dries commentedI'm cool with this patch, however, we need to work on the wording.
1. Does it match the terminology used elsewhere in the module? I'd postfix both permissions with 'form'.
2. What does 'use' mean? Does it mean that I can enable my own contact form, or that I can contact other people using their contact form? This needs to be clarified, IMO.
Comment #5
Zen CreditAttribution: Zen commentedShould probably be "access" instead of "use" ?
I don't think the access user profiles check was required *before* this patch. By leaving out 'access', it would have defaulted to the access permissions of 'user/1'. AFAIK anyways.
Thanks,
-K
Comment #6
bermin CreditAttribution: bermin commentedNice patch.
I have seen this node referenced as a solution to allowing 'anonymous' access (without the need to register) to the 'contact' tab.
This patch allows anonymous to see the 'contact' tab in a users profile, but it fails to allow anonymous to send without registering.
Comment #7
Bèr Kessels CreditAttribution: Bèr Kessels commented* Changed "use" into "access", it makes more sense.
* Postfixed each perm with "form". Perms are now
'access site-wide contact form', 'access personal contact form'
* Added a check for $user->uid, wich fixes yet another bug.
One new feature, two bugs fixed with a patch as tiny as this one! please review :)
Comment #8
Dries CreditAttribution: Dries commentedStill sloppy IMO.
"access personal contact form" implies that people can access their own contact form. If you write "forms" (plural), it implies other people's contact forms. Which one does it need to be?
Now we have a new permission, we can get rid of the old one (IMO):
+ 'access' => (user_access('access content') && user_access('access site-wide contact form')),
Do we still need the check for user_access('access content')? I don't think so.
+ 'access' => ($user->uid && user_access('access user profiles') && user_access('access personal contact form')),
IMO, a contact form and a user profile are separate things. I'd remove the user_access('access user profiles') bit.
Comment #9
Bèr Kessels CreditAttribution: Bèr Kessels commentedthe patch is only getting smaller ;)
Comment #10
Dries CreditAttribution: Dries commentedCommitted.
Comment #11
pwolanin CreditAttribution: pwolanin commentedWill this patch also get applied to the 4.7 branch? Thanks for adding this feature!
Comment #12
Bèr Kessels CreditAttribution: Bèr Kessels commentedDries: thank you for the persistance! Wonderfull to see your persistance and th eresult of it in such small issues. Again: thanks.
@pwolanin: most probably not. 4.7 is closed for features. If you really want small features like this to make it towards your website, the best thing is to get closely involved in the 4.8 release. Because the sooner that releases, the sooner you can benefit from small patches like these! Please review other patches and bugs.
Comment #13
ryanrain CreditAttribution: ryanrain commentedi uploaded contact.module rev 1.53, checked the new 'access personal contact forms' for all roles including anonymous, but still can't seem to access personal contact forms as an anonymous user.
instead of the old "Please login or register to send %name a message.", the new version returns an access denied.
i know there's been discussion of preventing spam by restricting access to registered users, but now that we're providing the option in the access control panel, it seems like it should work, perhaps with a warning. i couldn't see any code that would generate a 'from' field for anonymous users.
learning this stuff bit by bit,
-ryan
Comment #14
ryanrain CreditAttribution: ryanrain commentedoops
Comment #15
Bèr Kessels CreditAttribution: Bèr Kessels commented@ryanrain we now use the standard access methods. And not some inconsistent message. There are ways to generate a nice, context sensitive access denied page.
Comment #16
ryanrain CreditAttribution: ryanrain commentedso, am i to understand that there are no plans to let admins allow anonymous users access to personal contact forms?
Comment #17
webchick> so, am i to understand that there are no plans to let admins allow anonymous users access to personal contact forms?
There are no plans, period. :) If you want something like this, file a new feature request, preferably with a patch! :) This issue is solely about separating permissions to enable the site-wide contact form and user-specific forms.
Comment #18
(not verified) CreditAttribution: commentedComment #19
rapsli CreditAttribution: rapsli commentedtried to apply the patch. Does it not work anymore for 5.7? I get an acces denied for the guest
Comment #20
fluffy998 CreditAttribution: fluffy998 commentedI've tried applying the patch and receive an error - 1 out of 2 hunks failed. Is the patch not meant for 5.7?, or am I doing something wrong?
Any help would be much appreciated.
Comment #21
glass.dimly CreditAttribution: glass.dimly commentedThis module may do what people want: http://drupal.org/project/contact_anon
jmjohn
Comment #22
dwees CreditAttribution: dwees commentedThis doesn't seem to have actually made it into Drupal 5.7, or at least it's no longer in Drupal 5.10. Any ideas what happened to this issue?
Comment #23
amariotti CreditAttribution: amariotti commentedIt was never committed to core. Not sure why this functionality can't be added to Drupal CORE.
Comment #24
oldrobb CreditAttribution: oldrobb commentedThis patch doesn't seem to be applicable for later versions of Drupal 5 (5.12, for example...)
This issue seems to be very similar to
Disable profile contact forms checkbox and tab
http://drupal.org/node/35374
and
Hide contact tab for users who have option disabled
http://drupal.org/node/60483
However, neither of these seem to be applicable to later versions of Drupal 5 either.
Any chance of an applicable version?
I've commented on this one, rather than on either of the others, as this one specifically says it's for Drupal 5 (i.e. 5.7) whereas the others aren't specific. (This one has also been commented on most recently.)
Comment #25
Andrew Gorokhovets CreditAttribution: Andrew Gorokhovets commentedIt's for D6
Comment #26
Andrew Gorokhovets CreditAttribution: Andrew Gorokhovets commentedSory,This correct
Comment #27
Liliplanet CreditAttribution: Liliplanet commentedThank you andrew_jw, works wonderfully and should really be incorporated in the core contact.module.
Comment #28
CarbonPig CreditAttribution: CarbonPig commentedHi Andrey,
I applied the patch and I see the new permissions show up - "user contact form".
It seems to work for authenticated users, but it still shows "access denied" for anonymous users.
I tried refreshing the cache, but I can't get it to work.
Please correct me if I'm wrong, but I thought the patch would allow anonymous users to be able to access and use the contact form for authenticated users.
Please help,
CarbonPig
Comment #29
ianchan CreditAttribution: ianchan commentedsubscribe
Comment #30
Gabriel R. CreditAttribution: Gabriel R. commentedComment #31
rootworkThis was marked closed awhile ago, but since people are still posting to it (and it turned up in my own search results), for the latest on this see #601250: Allow anonymous users to use personal contact forms and #58224: Allow anonymous users access to a members personal contact form
For backports of the functionality in question from D7, see http://drupal.org/project/contact/