security hole in user_user_operations [#89323]

when i first wrote the code for hook_user_operations, i unfortunately neglected to realize that the role assignment shortcuts should only be available to users w/ the 'administer access control' permission. thus currently anybody w/ 'administer users' permissions can assign themselves any role and gain unauthorized access to other areas of the site. not good...

attached patch corrects this.

tested and working well on a clean current HEAD.

Comment	File	Size	Author
#1	user_op_0.patch	2.73 KB	hunmonk
	user_op.patch	2.75 KB	hunmonk

Comments

Comment #1

hunmonk commented 15 October 2006 at 18:41

Status	File	Size
new	user_op_0.patch	2.73 KB

chx suggested a += instead of an array_merge.

once again tested and working fine on a clean HEAD

Comment #2

chx commented 15 October 2006 at 18:43

Status:

Needs review

» Reviewed & tested by the community

Comment #3

dries commented 15 October 2006 at 20:10

Status:

Reviewed & tested by the community

» Fixed

Committed to CVS HEAD. Thanks.

Comment #4

(not verified) commented 29 October 2006 at 20:15

Status:

Fixed

» Closed (fixed)

security hole in user_user_operations

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community