Loading wrong user when editing [#1111974]

Issue: When users with the 'administer user' permission attempt to edit another user's address book, the page loads the wrong user's information. Currently, the 'Address Book' tab loads the logged in user's address book instead of the user to edit's.

Line 148 of addresses_user.inc needs to be changed.

144    drupal_goto("user/$uid/address");
145    break;
146 
147  default:
148    - $addresses = _addresses_user_address_get($user->uid);
148    + $addresses = _addresses_user_address_get($uid);

Comments

Comment #1

AlexisWilke CreditAttribution: AlexisWilke commented 31 March 2011 at 17:25

Wow! That function is completely wrong actually. I think someone reported such a problem before...

If I understand the code I'm reading, if you are logged in and want to go see another user's address but you do not have 'administer users' permission, then you will see YOUR address, even though the path will show that other user UID.

So user/5/address should show user #5 address, but instead you'll get YOURs if you do not have the 'administer users' permission?!

Thank you.
Alexis

Comment #2

sean3z CreditAttribution: sean3z commented 31 March 2011 at 18:10

Yup. Currently (version 6.x-1.10), regardless of the 'administer users' permission, if you go to another user's Address Book it will load your own.
(see #1111940: Incorrect user access for the 'administer users' issue)

Changing $user->uid to $uid on line 148 of addresses_user.inc will reprimand the issue :)