It seems a little bit strange for me, so I would ask if this is by design or a bug: I setuped a view with a block with user profile and I also wanted to provide users with edit account link within that block. However, the links shows only when users have "administer users" permission which is rather a security hole (right?). My view is:

$view = new view;
$view->name = 'UserInfo';
$view->description = '';
$view->tag = '';
$view->view_php = '';
$view->base_table = 'users';
$view->is_cacheable = FALSE;
$view->api_version = 2;
$view->disabled = FALSE; /* Edit this to true to make a default view disabled initially */
$handler = $view->new_display('default', 'Defaults', 'default');
$handler->override_option('fields', array(
  'uid' => array(
    'label' => 'Uid',
    'alter' => array(
      'alter_text' => 0,
      'text' => '',
      'make_link' => 0,
      'path' => '',
      'link_class' => '',
      'alt' => '',
      'prefix' => '',
      'suffix' => '',
      'target' => '',
      'help' => '',
      'trim' => 0,
      'max_length' => '',
      'word_boundary' => 1,
      'ellipsis' => 1,
      'strip_tags' => 0,
      'html' => 0,
    ),
    'empty' => '',
    'hide_empty' => 0,
    'empty_zero' => 0,
    'link_to_user' => 1,
    'exclude' => 1,
    'id' => 'uid',
    'table' => 'users',
    'field' => 'uid',
    'relationship' => 'none',
  ),
  'picture' => array(
    'label' => '',
    'alter' => array(
      'alter_text' => 0,
      'text' => '',
      'make_link' => 0,
      'path' => '',
      'link_class' => '',
      'alt' => '',
      'prefix' => '',
      'suffix' => '',
      'target' => '',
      'help' => '',
      'trim' => 0,
      'max_length' => '',
      'word_boundary' => 1,
      'ellipsis' => 1,
      'strip_tags' => 0,
      'html' => 0,
    ),
    'empty' => '',
    'hide_empty' => 1,
    'empty_zero' => 0,
    'exclude' => 0,
    'id' => 'picture',
    'table' => 'users',
    'field' => 'picture',
    'relationship' => 'none',
  ),
  'value_1' => array(
    'label' => '',
    'alter' => array(
      'alter_text' => 0,
      'text' => '',
      'make_link' => 0,
      'path' => '',
      'link_class' => '',
      'alt' => '',
      'prefix' => '',
      'suffix' => '',
      'target' => '',
      'help' => '',
      'trim' => 0,
      'max_length' => '',
      'word_boundary' => 1,
      'ellipsis' => 1,
      'strip_tags' => 0,
      'html' => 0,
    ),
    'empty' => '',
    'hide_empty' => 1,
    'empty_zero' => 0,
    'exclude' => 0,
    'id' => 'value_1',
    'table' => 'profile_values_profile_aboutme',
    'field' => 'value',
    'relationship' => 'none',
  ),
  'value_2' => array(
    'label' => '',
    'alter' => array(
      'alter_text' => 0,
      'text' => '',
      'make_link' => 0,
      'path' => '',
      'link_class' => '',
      'alt' => '',
      'prefix' => '',
      'suffix' => '',
      'target' => '',
      'help' => '',
      'trim' => 0,
      'max_length' => '',
      'word_boundary' => 1,
      'ellipsis' => 1,
      'strip_tags' => 0,
      'html' => 0,
    ),
    'empty' => '',
    'hide_empty' => 1,
    'empty_zero' => 0,
    'display_as_link' => 1,
    'exclude' => 0,
    'id' => 'value_2',
    'table' => 'profile_values_profile_url',
    'field' => 'value',
    'relationship' => 'none',
  ),
  'edit_node' => array(
    'label' => '',
    'alter' => array(
      'alter_text' => 0,
      'text' => '',
      'make_link' => 0,
      'path' => '',
      'link_class' => '',
      'alt' => '',
      'prefix' => '',
      'suffix' => '',
      'target' => '',
      'help' => '',
      'trim' => 0,
      'max_length' => '',
      'word_boundary' => 1,
      'ellipsis' => 1,
      'strip_tags' => 0,
      'html' => 0,
    ),
    'empty' => 'EE',
    'hide_empty' => 0,
    'empty_zero' => 0,
    'text' => 'Edytuj',
    'exclude' => 0,
    'id' => 'edit_node',
    'table' => 'users',
    'field' => 'edit_node',
    'relationship' => 'none',
  ),
  'delete_node' => array(
    'label' => '',
    'alter' => array(
      'alter_text' => 0,
      'text' => '',
      'make_link' => 0,
      'path' => '',
      'link_class' => '',
      'alt' => '',
      'prefix' => '',
      'suffix' => '',
      'target' => '',
      'help' => '',
      'trim' => 0,
      'max_length' => '',
      'word_boundary' => 1,
      'ellipsis' => 1,
      'strip_tags' => 0,
      'html' => 0,
    ),
    'empty' => 'DD',
    'hide_empty' => 0,
    'empty_zero' => 0,
    'text' => 'Usuń',
    'exclude' => 0,
    'id' => 'delete_node',
    'table' => 'users',
    'field' => 'delete_node',
    'relationship' => 'none',
  ),
));
$handler->override_option('arguments', array(
  'uid' => array(
    'default_action' => 'default',
    'style_plugin' => 'default_summary',
    'style_options' => array(),
    'wildcard' => 'all',
    'wildcard_substitution' => 'All',
    'title' => '',
    'breadcrumb' => '',
    'default_argument_type' => 'user',
    'default_argument' => '',
    'validate_type' => 'user',
    'validate_fail' => 'not found',
    'break_phrase' => 0,
    'not' => 0,
    'id' => 'uid',
    'table' => 'users',
    'field' => 'uid',
    'validate_user_argument_type' => 'uid',
    'validate_user_roles' => array(
      '2' => 2,
      '3' => 0,
      '15' => 0,
      '5' => 0,
      '13' => 0,
      '6' => 0,
    ),
    'relationship' => 'none',
    'default_options_div_prefix' => '',
    'default_argument_user' => 0,
    'default_argument_fixed' => '',
    'default_argument_php' => '',
    'validate_argument_node_type' => array(
      'webform' => 0,
      'blog' => 0,
      'article' => 0,
      'book' => 0,
      'news' => 0,
      'page' => 0,
      'partner' => 0,
      'story' => 0,
    ),
    'validate_argument_node_access' => 0,
    'validate_argument_nid_type' => 'nid',
    'validate_argument_vocabulary' => array(
      '12' => 0,
      '15' => 0,
      '16' => 0,
    ),
    'validate_argument_type' => 'tid',
    'validate_argument_transform' => 0,
    'validate_user_restrict_roles' => 1,
    'validate_argument_php' => '',
  ),
));
$handler->override_option('access', array(
  'type' => 'none',
));
$handler->override_option('cache', array(
  'type' => 'none',
));
$handler->override_option('items_per_page', 1);
$handler->override_option('style_plugin', 'list');
$handler->override_option('style_options', array(
  'grouping' => '',
  'type' => 'ul',
));
$handler->override_option('row_options', array(
  'inline' => array(
    'edit_node' => 'edit_node',
    'delete_node' => 'delete_node',
  ),
  'separator' => '/',
  'hide_empty' => 0,
));
$handler = $view->new_display('block', 'Blok', 'block_1');
$handler->override_option('block_description', '');
$handler->override_option('block_caching', -1);

Thank You for any tip!

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

merlinofchaos’s picture

The links are designed to only show up if a user has permission to use them. How is it a security hole if they show up when a user does not have permission to use them?

mariusz.slonina’s picture

They don't show for an authenticated user which does not have "administer users" permission. I wanted to have something similar to default Drupal tabs on profile page -- for design reasons I simply do not show the tabs. So I tried to "move" tabs to "profile block". For logged-in user, on his "profile block", the links don't show up -- the user has permission to edit his own account, right? I agree, the user should not see edit links if does not have permission to use them (i.e. on "profile block" of other user). For node links it works great (I did similar "node block" for regular content types). I don't want to give regular user "administer users" permission to access edit links of his account, this permission is designed to be only for admins or so. Maybe I am missing something, I'll be grateful for any help:)

dawehner’s picture

Status: Active » Needs review
FileSize
1011 bytes

It would be possible to move the access from the access method to the render function. There it would be possible to check whether its the current user.

So please review the patch

mariusz.slonina’s picture

Well, it's almost ok:) However, user_edit_access() needs $account, not $uid. See attached patch. I did the same for delete link.

mariusz.slonina’s picture

Forget about the delete patch. I've just realized it is not Drupal6 way...

dawehner’s picture

The first patch looks fine.

merlinofchaos’s picture

Status: Needs review » Fixed

Committed to all branches -- not the delete one, obviously. Users can't self-delete.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.