Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I searched to see if this was answered already, but didn't see anything on the intended behavior. It appears that in the latest release, any user that can access a user's profile can now also access that user's vote history. I found the thread where the change originated (http://drupal.org/node/1246392).
Should this...
function vud_can_see_votes($account) {
if ($account->status != 1) {
return user_view_access($account);
}
return user_access('access vote up/down statistics') || user_view_access($account);
}
Be this...
function vud_can_see_votes($account) {
if ($account->status != 1) {
return user_view_access($account);
}
return user_access('access vote up/down statistics') || user_access('administer users');
}
I guess you could add an additional check allowing users to view their own vote page if that is desired.
function vud_can_see_votes($account) {
global $user;
if ($account->status != 1) {
return user_view_access($account);
}
return user_access('access vote up/down statistics') || user_access('administer users') || ($user->uid == $account->uid);
}
Comment | File | Size | Author |
---|---|---|---|
#1 | 0001-Issue-1321334-by-pwrovchz-marvil07-Fixed-Access-chec.patch | 1.22 KB | marvil07 |
Comments
Comment #1
marvil07 CreditAttribution: marvil07 commentedThanks for reporting :-)
Reviewing in detail the code of user_view_access(), I see what you mean. Yes, there is a problem there since it allows access for people with 'access user profiles' permission to access what only 'access vote up/down statistics' permission enabled users should see.
So, here the patch I have pushed to 6.x-3.x and 6.x-2.x. It's not exactly what you wrote, and instead completely based on user_view_access() logic.