I've tested on a non-English Drupal installation. Using bulk operation, a user who doesn't have the edit permission can still block/unblock any user including the administrator. After submission, I see the error message AND successful message. The selected user(s) are in fact blocked (or unblocked).
This may be due to the fact that I'm using non-English UI, but nonetheless, a security concern.
BTW: This module is a lifesaver for me. Thank you so much to compile the patches and whatnot into one place!
|PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es). |
[ View ]