Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I've tested on a non-English Drupal installation. Using bulk operation, a user who doesn't have the edit permission can still block/unblock any user including the administrator. After submission, I see the error message AND successful message. The selected user(s) are in fact blocked (or unblocked).
This may be due to the fact that I'm using non-English UI, but nonetheless, a security concern.
BTW: This module is a lifesaver for me. Thank you so much to compile the patches and whatnot into one place!
Comment | File | Size | Author |
---|---|---|---|
#15 | administerusersbyrole-hide_access_denied_links-1670954-15.patch | 807 bytes | ptsimard |
#12 | administerusersbyrole.module-1670954.patch | 1.25 KB | snuyt |
#3 | administerusersbyrole-load-name-role-1670954.patch | 526 bytes | denison |
Comments
Comment #1
NobuT CreditAttribution: NobuT commentedTo mitigate the issue, I've added form alter hook so that users that the current user doesn't have the edit permission don't show up.
Comment #2
mrfelton CreditAttribution: mrfelton commentedMoving over to the Administer Users by Role queue.
Comment #3
denison CreditAttribution: denison commentedSorry, I did not understand where the topic has been moved. I had a similar problem, with the same message. But in my case I was using UI in English.
What was happening: In place of the string with the name of the role, was coming from the id eg id => id.
Solved with this patch. I'm using version 7.x-1.0-beta1
Comment #4
NobuT CreditAttribution: NobuT commentedThanks for the patch. It seems working.
Comment #5
edb CreditAttribution: edb commentedWorks fine here too, moving to RTBC.
Also marking as major as this bug prevents any user apart from user 1 from editing a users status.
Comment #6
dmegatool CreditAttribution: dmegatool commented#1 solution works but when I create a new user, it's back to the old behavior. When I clear the cache, it works again and only the appropriate users are shown...
Any idea what's causing this and how to fix ?
EDIT: Found out that's when I create a user when using the overlay/seven theme. If I disable the admin theme and create the user, everything's fine. I've put the code in my theme template.tlp.php... Is that where it goes ? I would like to reenable the admin theme overlay.
EDIT 2: I copied over the code to the Seven's template.tlp.php which I find kinda hacky. Works now but if the theme gets updated... Anyway maybe someone could answer to help others.
Comment #7
Dimetry CreditAttribution: Dimetry commentedI have same issue.
Using bulk operation the user can block/unblock any other user, includes Administator.
I'm waiting for update the module.
And thanks for module.
Comment #8
HaloFX CreditAttribution: HaloFX commentedApplied #3 to beta1 and dev, both applied OK, but didn't resolve issue.
Comment #9
gaele CreditAttribution: gaele commented#1717876: Remove dependency on 'Administer users' permission
Comment #10
gaele CreditAttribution: gaele commentedSorry, 1717876 appears to be another issue.
Comment #11
snuyt CreditAttribution: snuyt commentedusing
function administerusersbyrole_user_presave(&$edit, $account, $category) {
instead of
function administerusersbyrole_user_update(&$edit, $account, $category) {
is probably a good idea ?
Comment #12
snuyt CreditAttribution: snuyt commentedComment #13
gaele CreditAttribution: gaele commentedComment #15
ptsimard CreditAttribution: ptsimard commentedHello,
while not dealing with the other patches right now, I just thought that NobuT's hook at comment #1 needed its own patch as it is very useful.
Comment #16
ptsimard CreditAttribution: ptsimard commentedComment #18
AdamPS CreditAttribution: AdamPS commentedI intend to fix this as part of #2378869: Meta-issue for Beta 2 release. Please sign up as a follower of that issue and there will shortly be a patch that I would like feedback on.
Roughly speaking I took the patch in #15 but tweaked the permissions to guard permissions to users own account more carefully.
Should now be fixed on that issue, please let me know.
Comment #19
AdamPS CreditAttribution: AdamPS commentedFix now available in latest release