I've tested on a non-English Drupal installation. Using bulk operation, a user who doesn't have the edit permission can still block/unblock any user including the administrator. After submission, I see the error message AND successful message. The selected user(s) are in fact blocked (or unblocked).

This may be due to the fact that I'm using non-English UI, but nonetheless, a security concern.

BTW: This module is a lifesaver for me. Thank you so much to compile the patches and whatnot into one place!

Files: 
CommentFileSizeAuthor
#3 administerusersbyrole-load-name-role-1670954.patch526 bytesdenison
PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es).
[ View ]

Comments

To mitigate the issue, I've added form alter hook so that users that the current user doesn't have the edit permission don't show up.

<?php
/**
* Implements hook_form_user_admin_account_alter().
*/
function administerusersbyrole_form_user_admin_account_alter(&$form, &$form_state, $form_id) {
   
// Remove rows if I don't have access to them.
 
foreach ($form['accounts']['#options'] as $uid => $fields) {
   
$account = user_load($uid);
    if (!
_administerusersbyrole_can_edit_user($account)) {
      unset(
$form['accounts']['#options'][$uid]);
    }
  }
}
?>

Project:Administer Users by Role D7» Administer Users by Role
Version:» 7.x-1.0-beta1

Moving over to the Administer Users by Role queue.

StatusFileSize
new526 bytes
PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es).
[ View ]

Sorry, I did not understand where the topic has been moved. I had a similar problem, with the same message. But in my case I was using UI in English.

What was happening: In place of the string with the name of the role, was coming from the id eg id => id.

 Solved with this patch. I'm using version 7.x-1.0-beta1

Thanks for the patch. It seems working.

Priority:Normal» Major
Status:Active» Reviewed & tested by the community

Works fine here too, moving to RTBC.

Also marking as major as this bug prevents any user apart from user 1 from editing a users status.

#1 solution works but when I create a new user, it's back to the old behavior. When I clear the cache, it works again and only the appropriate users are shown...

Any idea what's causing this and how to fix ?

EDIT: Found out that's when I create a user when using the overlay/seven theme. If I disable the admin theme and create the user, everything's fine. I've put the code in my theme template.tlp.php... Is that where it goes ? I would like to reenable the admin theme overlay.

EDIT 2: I copied over the code to the Seven's template.tlp.php which I find kinda hacky. Works now but if the theme gets updated... Anyway maybe someone could answer to help others.

I have same issue.
Using bulk operation the user can block/unblock any other user, includes Administator.
I'm waiting for update the module.
And thanks for module.

Applied #3 to beta1 and dev, both applied OK, but didn't resolve issue.

Issue summary:View changes
Priority:Major» Critical
Status:Reviewed & tested by the community» Closed (duplicate)

Status:Closed (duplicate)» Needs work

Sorry, 1717876 appears to be another issue.