Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
User module sets #access to the username and status fields to false unless the user has administer users permission. This module needs to override that if it is granting access to edit the user, otherwise not all properties can be properly edited.
Comments
Comment #1
mrfelton CreditAttribution: mrfelton commentedFixed in dev
Comment #3
Rob230 CreditAttribution: Rob230 commentedIt seems that after installing the dev version everyone is allowed to edit their own username, regardless of the 'change own username' permission.
Expected beheviour would be that only users with the 'edit users with role x' permission would be able to change usernames (and everything else) of users with that role.
This is because in administerusersbyrole_form_user_profile_form_alter() you have:
And at the start of _administerusersbyrole_can_edit_user() is:
Therefore everyone is considered an admin on their own page, so everyone will be allowed to edit their username and the 'change own username' permission is being ignored.
Comment #4
AdamPS CreditAttribution: AdamPS commentedIn #3
You can also edit your own account if you have 'administer users' permission. So I think we can extend that in our module to say you can edit your own username if you have permissions that would allow editing of it as an admin based on roles (i.e. even if it wasn't your account you own could edit it).
I would like to fix this as part of #2378869: Meta-issue for Beta 2 release. Please sign up as a follower of that issue. However note that the first patch just posted doesn't solve it.
Comment #6
AdamPS CreditAttribution: AdamPS commentedFix now available in latest release
Comment #7
AdamPS CreditAttribution: AdamPS commentedComment #8
AdamPS CreditAttribution: AdamPS commented