From 6a209ad2e327174d624b35c003ffe6d2dd211e43 Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 13:57:53 -0400 Subject: [PATCH 1/5] Issue #932814: Prevent switching to blocked user accounts. --- masquerade.module | 61 ++++++++++++++++++++++++++++++++++++++++++---------- 1 files changed, 49 insertions(+), 12 deletions(-) diff --git a/masquerade.module b/masquerade.module index 28d2fb6..c4334af 100644 --- a/masquerade.module +++ b/masquerade.module @@ -462,17 +462,42 @@ function masquerade_user_update(&$edit, $account, $category) { $query->execute(); // Save users from settings form. $users = drupal_explode_tags($edit['masquerade_users']); - $query = db_insert('masquerade_users')->fields(array('uid_from', 'uid_to')); - foreach ($users as $username) { - if ($to_user = _masquerade_user_load($username)) { - $query->values(array( - 'uid_from' => $account->uid, - 'uid_to' => $to_user->uid, - )); + if ($edit['status'] == 1) { + $query = db_insert('masquerade_users')->fields(array('uid_from', 'uid_to')); + foreach ($users as $username) { + if ($to_user = _masquerade_user_load($username)) { + $query->values(array( + 'uid_from' => $account->uid, + 'uid_to' => $to_user->uid, + )); + } + } + $query->execute(); + } + else { + // If the user account is blocked it should be removed as an option for masquerading. + db_delete('masquerade_users') + ->condition('uid_to', $account->uid) + ->execute(); + $quick_switches = variable_get('masquerade_quick_switches', array()); + $test_user = variable_get('masquerade_test_user', ''); + if (in_array($account->uid, $quick_switches)) { + $quick_switches_query = db_select('users'); + $quick_switches_query->addField('users', 'uid'); + $quick_switches_query->condition(db_and()->condition('status', 1)->condition('uid', $quick_switches, 'IN')); + $quick_switches = $quick_switches_query->execute()->fetchCol(); + variable_set('masquerade_quick_switches', $quick_switches); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account-name))); + watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name), WATCHDOG_NOTICE); + } + // If we just blocked the masquerade test user, we'll need to kill the test user menu item. + if (!strcmp($test_user, $account->name)) { + variable_set('masquerade_test_user',''); + menu_rebuild(); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. The menu link for this account has been removed.', array('%user' => $account->name))); + watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. The memnu link for this account has been removed.', array('%user' => $account->name), WATCHDOG_NOTICE); } } - $query->execute(); - $edit['masquerade_users'] = NULL; // Update user session... // @TODO check other way of session API. @@ -554,7 +579,11 @@ function masquerade_block_1() { $quick_switches = variable_get('masquerade_quick_switches', array()); // Add in user-specific switches, and prevent duplicates. - $user_switches = db_query("SELECT uid_to FROM {masquerade_users} WHERE uid_from = :uid_from", array(':uid_from' => $user->uid))->fetchCol(); + $user_switches_query = db_select('masquerade_users', 'mu'); + $user_switches_query->addField('mu', 'uid_to'); + $user_switches_query->join('users', 'u', 'mu.uid_to = u.uid AND u.status = 1'); + $user_switches_query->condition('mu.uid_from', $user->uid); + $user_switches = $user_switches_query->execute()->fetchCol(); $masquerade_switches = array_unique(array_merge($quick_switches, $user_switches)); foreach ($masquerade_switches as $switch_user) { @@ -661,7 +690,7 @@ function masquerade_autocomplete($string) { $matches[$anonymous] = $anonymous; } // Other suggestions. - $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER(:string)", 0, 10, array( + $result = db_query_range("SELECT name FROM {users} WHERE status = 1 AND LOWER(name) LIKE LOWER(:string)", 0, 10, array( ':string' => $string . '%', )); foreach ($result as $user) { @@ -699,7 +728,7 @@ function masquerade_autocomplete_multiple($string, $add_anonymous = TRUE) { } } // Other suggestions. - $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE :string", 0, 10, array( + $result = db_query_range("SELECT name FROM {users} WHERE status = 1 AND LOWER(name) LIKE :string", 0, 10, array( ':string' => $last_string . '%', )); foreach ($result as $user) { @@ -757,6 +786,14 @@ function masquerade_switch_user($uid) { $new_user = user_load($uid); + // Check to see if user is blocked + if (!empty($new_user->uid) && empty($new_user->status)) { + drupal_set_message(t('You cannot masquerade as %user because this account is blocked.', array('%user' => $new_user->name)), 'error'); + watchdog('masquerade', 'An attempt to masquerade as %user failed because this account is blocked.', array('%user' => $new_user->name), WATCHDOG_ERROR); + return FALSE; + } + + $roles = array_keys(array_filter(variable_get('masquerade_admin_roles', array()))); $perm = $uid == 1 || array_intersect(array_keys($new_user->roles), $roles) ? 'masquerade as admin' : -- 1.7.5.2 From 0bb74d7a1e7d96680fbcd7e02c2c46baf3f9f4a9 Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 14:18:49 -0400 Subject: [PATCH 2/5] Issue #932814: Fix minor code style issues. --- masquerade.module | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/masquerade.module b/masquerade.module index c4334af..c1cb7f2 100644 --- a/masquerade.module +++ b/masquerade.module @@ -792,7 +792,6 @@ function masquerade_switch_user($uid) { watchdog('masquerade', 'An attempt to masquerade as %user failed because this account is blocked.', array('%user' => $new_user->name), WATCHDOG_ERROR); return FALSE; } - $roles = array_keys(array_filter(variable_get('masquerade_admin_roles', array()))); $perm = $uid == 1 || array_intersect(array_keys($new_user->roles), $roles) ? -- 1.7.5.2 From fc911421d648cc08d9d9bd599be1f17f8f17b351 Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 14:23:59 -0400 Subject: [PATCH 3/5] Issue #932814: Don't deny access to a page when unable to switch accounts. --- masquerade.module | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) diff --git a/masquerade.module b/masquerade.module index c1cb7f2..b615399 100644 --- a/masquerade.module +++ b/masquerade.module @@ -671,10 +671,7 @@ function masquerade_block_1_validate($form, &$form_state) { function masquerade_block_1_submit($form, &$form_state) { unset($form); $masq_user = _masquerade_user_load($form_state['values']['masquerade_user_field']); - if (!masquerade_switch_user($masq_user->uid)) { - drupal_access_denied(); - } - else { + if (masquerade_switch_user($masq_user->uid)) { drupal_goto($_SERVER['HTTP_REFERER']); } } -- 1.7.5.2 From e44cc6221ed97b2b1ac3b354d76b6f73d2a2c41a Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 14:31:48 -0400 Subject: [PATCH 4/5] Issue #932814: Fix typo in dsm() when removing a blocked account from the list of quick switches. --- masquerade.module | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/masquerade.module b/masquerade.module index b615399..df8cf71 100644 --- a/masquerade.module +++ b/masquerade.module @@ -487,7 +487,7 @@ function masquerade_user_update(&$edit, $account, $category) { $quick_switches_query->condition(db_and()->condition('status', 1)->condition('uid', $quick_switches, 'IN')); $quick_switches = $quick_switches_query->execute()->fetchCol(); variable_set('masquerade_quick_switches', $quick_switches); - drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account-name))); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name))); watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name), WATCHDOG_NOTICE); } // If we just blocked the masquerade test user, we'll need to kill the test user menu item. -- 1.7.5.2 From 90f692abe58040319d170db71b162c1c61d11c9e Mon Sep 17 00:00:00 2001 From: Andrew Berry Date: Fri, 10 Jun 2011 16:06:59 -0400 Subject: [PATCH 5/5] Issue #932814: Fix removing switch links for a blocked account when blocking from the user admin form. --- masquerade.module | 66 ++++++++++++++++++++++++++-------------------------- 1 files changed, 33 insertions(+), 33 deletions(-) diff --git a/masquerade.module b/masquerade.module index df8cf71..3dd3c73 100644 --- a/masquerade.module +++ b/masquerade.module @@ -474,42 +474,42 @@ function masquerade_user_update(&$edit, $account, $category) { } $query->execute(); } - else { - // If the user account is blocked it should be removed as an option for masquerading. - db_delete('masquerade_users') - ->condition('uid_to', $account->uid) - ->execute(); - $quick_switches = variable_get('masquerade_quick_switches', array()); - $test_user = variable_get('masquerade_test_user', ''); - if (in_array($account->uid, $quick_switches)) { - $quick_switches_query = db_select('users'); - $quick_switches_query->addField('users', 'uid'); - $quick_switches_query->condition(db_and()->condition('status', 1)->condition('uid', $quick_switches, 'IN')); - $quick_switches = $quick_switches_query->execute()->fetchCol(); - variable_set('masquerade_quick_switches', $quick_switches); - drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name))); - watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name), WATCHDOG_NOTICE); - } - // If we just blocked the masquerade test user, we'll need to kill the test user menu item. - if (!strcmp($test_user, $account->name)) { - variable_set('masquerade_test_user',''); - menu_rebuild(); - drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. The menu link for this account has been removed.', array('%user' => $account->name))); - watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. The memnu link for this account has been removed.', array('%user' => $account->name), WATCHDOG_NOTICE); - } + } + if ($category == 'account' && $edit['status'] == 0) { + // If the user account is blocked it should be removed as an option for masquerading. + db_delete('masquerade_users') + ->condition('uid_to', $account->uid) + ->execute(); + $quick_switches = variable_get('masquerade_quick_switches', array()); + $test_user = variable_get('masquerade_test_user', ''); + if (in_array($account->uid, $quick_switches)) { + $quick_switches_query = db_select('users'); + $quick_switches_query->addField('users', 'uid'); + $quick_switches_query->condition(db_and()->condition('status', 1)->condition('uid', $quick_switches, 'IN')); + $quick_switches = $quick_switches_query->execute()->fetchCol(); + variable_set('masquerade_quick_switches', $quick_switches); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name))); + watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. This account has been removed from the list of available quick switches in the Masquerade block.', array('%user' => $account->name), WATCHDOG_NOTICE); } - - // Update user session... - // @TODO check other way of session API. - if (!empty($_masquerade_old_session_id)) { - $query = db_update('masquerade'); - $query->fields(array( - 'sid' => session_id(), - )); - $query->condition('sid', $_masquerade_old_session_id); - $query->execute(); + // If we just blocked the masquerade test user, we'll need to kill the test user menu item. + if (!strcmp($test_user, $account->name)) { + variable_set('masquerade_test_user',''); + menu_rebuild(); + drupal_set_message(t('%user is blocked and is no longer a valid option for masquerading. The menu link for this account has been removed.', array('%user' => $account->name))); + watchdog('masquerade', '%user is blocked and is no longer a valid option for masquerading. The memnu link for this account has been removed.', array('%user' => $account->name), WATCHDOG_NOTICE); } } + + // Update user session... + // @TODO check other way of session API. + if (!empty($_masquerade_old_session_id)) { + $query = db_update('masquerade'); + $query->fields(array( + 'sid' => session_id(), + )); + $query->condition('sid', $_masquerade_old_session_id); + $query->execute(); + } } /** -- 1.7.5.2