Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The user edit link provided by Views doesn't take into consideration our new permissions.
Comment | File | Size | Author |
---|---|---|---|
#2 | 1785554-views_integration_edit_cancel_link-2.patch | 1.51 KB | GeduR |
#1 | 1785554-views-user-link.patch | 1.82 KB | minorOffense |
Comments
Comment #1
minorOffense CreditAttribution: minorOffense commentedThe latest dev has this code started but doesn't quite work yet. There's an
access()
method called in the parent classes for the views handlers which checks if the current user has access to view user profileshttp://api.drupal.org/api/views/modules%21user%21views_handler_field_use...
In our case, we want to check if a given user has access to a specific account given a specific role. Unfortunately, at the time
access()
is run, the query hasn't been run yet and so we can't run an access check against that user.Unless we require that any user who requires access to edit/cancel users using this module to also have the permission "access user profiles", we'll need to override the access function to return TRUE regardless.
If not, then we should add docs stating that you need to ensure the user has "access user profiles" permission set on their role to use the Views integration.
I've included a patch which sets the access to TRUE if that's the method you'd like to use. Otherwise, I can supply a patch with a README.txt describing what to do (and perhaps some extra text in Views to explain what to do).
Comment #2
GeduR CreditAttribution: GeduR commentedPatch #1 works but there is other related issue.
If the current users needs to create other users the "administer users" permission needs to be assigned because in the core register form there is a drupal_goto protection...
So all this kind of users needs this permission('administer users'), because of that in the handler we can't ask for this permission because it will be always true. The links is rendered as normal but the user has no access.
Views handler: wrong
Menu alter: the expected behavior without ('administer users')
Attaching the patch that complements the first one (#1), I don't include the first one in this patch because it's a different (related) issue and maybe some people thinks that "access user profiles" is necessary to edit an user (me not).
Comment #3
AdamPS CreditAttribution: AdamPS commentedIn #1
That seems like the answer to me. If you have permission to alter user profiles it seems entirely reasonable that you ought to also set permission to view them. I'd almost say it's obvious, but seeing as you don't feel the same way I'll see if we can make this clearer in the docs.
The patch in #1 as supplied looks like it ends up slightly altering how views of users work for all users, which I feel is undesirable.
Comment #4
AdamPS CreditAttribution: AdamPS commentedNow covered in README.txt file