In taxonomy module, users need the 'access content' permission for access to taxonomy/term/x and indeed anything to do with taxonomy, and hence a user without this permission can't discover the names of any terms.

So technically, we shouldn't show *any* taxonomy form to a user without that permission.

CommentFileSizeAuthor
#4 784248.user_terms.check-access_content-perm.patch1.1 KBjoachim
#1 user_terms.patch648 bytesyeputons

Comments

yeputons’s picture

yeputons commented
StatusFileSize
new user_terms.patch648 bytes

I think that it's easy. But we cannot do anything with views fields, can we? User terms uses standard views handlers, which haven't any access checking.

yeputons’s picture

yeputons commented
Status: Active » Needs review
joachim’s picture

joachim commented

Yup, it's a simple patch, but I posted this also to see what people think of the change :)

Going to leave it open a while longer.

joachim’s picture

joachim commented
Status: Needs review » Fixed
StatusFileSize
new 784248.user_terms.check-access_content-perm.patch1.1 KB

Probably better done with FormAPI's #access property. That way, if there are other modules that want to provide more subtle access such as to a single vocabulary, they can still find the form and change it. Though granted, having users who have accounts but can't see content is probably a rare case...

#784248 by joachim, yeputons: Fixed terms shown to users without 'access content' permission.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.