Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The masquerade block appears even if you don't have access to switch users:
- enable masquerade and the masquerade block. optionally add some quick switch users too
- log out and see how the (empty) block appears even though the anonymous user does not have access to any masquerade permission.
The quick links lead to an access denied, so this is not a security issue, but the block should not be displayed.
Comment | File | Size | Author |
---|---|---|---|
#1 | 1116034_1_hide_block.patch | 656 bytes | scor |
Comments
Comment #1
scor CreditAttribution: scor commentedpatch.
PS: probably a good idea to switch from 'master' to a '7.x-1.x' branch in git.
Comment #2
osopolarPatch works as expected.
Comment #3
ZoeN CreditAttribution: ZoeN commentedIssue still exists, and submitted patch works, in rc3, too.
Comment #4
osopolarI use the patch and rc3 on another website and it works well.
Comment #5
Kars-T CreditAttribution: Kars-T commented+1 for the patch.
It is an easy if() block and prevents that the block is shown to any user that is not currently masquerading or doesn't have appropriate access rights.
Comment #6
Kars-T CreditAttribution: Kars-T commentedSetting the issue to RC3
Comment #7
deekayen CreditAttribution: deekayen commentedI'm alright with committing this after #1185018: Rename master branch to 8.x-1.x is resolved so we know where it should go and not get lost in the conversion.
Comment #8
andypostisset() could lead to session creation, see #705858: Don't create session var when not masqerading
Comment #9
andypostRelease blocker
Comment #10
ohcray CreditAttribution: ohcray commentedSubscribe! So glad you guys are working on this. This is critical to the customer service functionality on our (about to launch) site.
Comment #11
andypostThanx, fixed