I searched to see if this was answered already, but didn't see anything on the intended behavior. It appears that in the latest release, any user that can access a user's profile can now also access that user's vote history. I found the thread where the change originated (http://drupal.org/node/1246392).

Should this...

function vud_can_see_votes($account) {
  if ($account->status != 1) {
    return user_view_access($account);
  }
  return user_access('access vote up/down statistics') || user_view_access($account);
}

Be this...

function vud_can_see_votes($account) {
  if ($account->status != 1) {
    return user_view_access($account);
  }
  return user_access('access vote up/down statistics') || user_access('administer users');
}

I guess you could add an additional check allowing users to view their own vote page if that is desired.

function vud_can_see_votes($account) {
  global $user;
  if ($account->status != 1) {
    return user_view_access($account);
  }
  return user_access('access vote up/down statistics') || user_access('administer users') || ($user->uid == $account->uid);
}
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

marvil07’s picture

Status: Active » Fixed
FileSize
1.22 KB

Thanks for reporting :-)

Reviewing in detail the code of user_view_access(), I see what you mean. Yes, there is a problem there since it allows access for people with 'access user profiles' permission to access what only 'access vote up/down statistics' permission enabled users should see.

So, here the patch I have pushed to 6.x-3.x and 6.x-2.x. It's not exactly what you wrote, and instead completely based on user_view_access() logic.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.