Closed (fixed)
Project:
Drupal core
Version:
4.7.3
Component:
profile.module
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
5 Oct 2006 at 02:26 UTC
Updated:
2 Nov 2006 at 12:03 UTC
Jump to comment: Most recent file
At http://drupal.org/node/64893, a fix has been submitted to remove visibility of unused accounts to deter spammers.
When viewing such an account, a user gets a 404.
The problem is that such accounts are still listed in the user list (profile), so a user would browse the list, click on the profile link for another user, and get a 404.
To reproduce: create a new account, and go to ?q=profile (possibly as another non-admin user).
Without the patch, the newly created but never accessed account is listed but accessing the profile gives a 404.
With the patch, the account is not listed in the first place.
The admin can still see all users, regardless of status, at ?q=admin/user/user .
| Comment | File | Size | Author |
|---|---|---|---|
| #13 | user_list_47.diff_0.txt | 1.37 KB | beginner |
| #10 | user_list4.diff.txt | 1.38 KB | mhutch |
| #4 | user_list3.diff.txt | 1.38 KB | mhutch |
| #3 | user_list2.diff.txt | 1.36 KB | beginner |
| #1 | user_list_47.diff.txt | 795 bytes | beginner |
Comments
Comment #1
beginner commentedhere's a patch for 4.7
Comment #2
pwolanin commentedCan we combine this patch with some version of this one: http://drupal.org/node/84490
Or is it better to keep these issues separate?
Comment #3
beginner commentedWhat you are trying to achieve seems different.
This patch fixes a simple issue and should get committed soon.
I missed a query in my earlier patch.
Comment #4
mhutch commentedActually, this issue is a duplicate of http://drupal.org/node/73804, not the other way around, because this one is newer.
Also, my (older) patch in the other issue is better, because it also hides blocked users and admin-created users (access=-1, see http://drupal.org/node/84490). The header format of the patch may not have been quite right, but I've edited it into this one. I've also removed some unnecessary string parsing.
Comment #5
beginner commentedI just notice a mistake I made in my original patch that you copied in the second.
Shouldn't
statusbeu.status?Comment #6
beginner commented... I mean in the first query, not in the second, obviously.
Comment #7
mhutch commentedNah, I made the mistake in my original patch too ;-)
It doesn't really matter, because there is no 'status' field in {profile_values}.
Comment #8
beginner commentedThe patch is good, then.
Comment #9
dries commentedThe check on status makes sense but what is the rationale with hiding admin created users? These are valid users, regardless of the fact they logged on. Not being able to see these might be confusing. Does it trigger a bug when you try to view their profile?
Comment #10
mhutch commentedSorry, I misunderstood the reasoning behind setting negative access values. Here's an updated patch that will show admin-created users.
Comment #11
dries commentedGreat job, MikalH. Committed to CVS HEAD. Thanks.
Comment #12
beginner commentedDoes the patch need to be re-rolled for 4.7?
Comment #13
beginner commentedwell, here it is.
Comment #14
gerhard killesreiter commentedcommitted
Comment #15
pwolanin commentedplease look at this related issue now that the above is committed: http://drupal.org/node/84490
Comment #16
killes@www.drop.org commentedMikalH, beginner: Please note that changing " to ' is not always permissible in PHP:
http://drupal.org/node/89405
Comment #17
mhutch commentedOops, sorry! I didn't notice that string interpolation was actually being used :(
Comment #18
(not verified) commented