Users without permission 'use ulogin' can access profile tab 'uLogin identities' [#1980578]

Users without permission 'use ulogin' can access profile tab 'uLogin identities'.
To avoid this we have to call user_access('use ulogin') in addition to user_edit_access().

Comment	File	Size	Author
	ulogin-6.x-add_access_callback.patch	1.16 KB	quotesBro

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

duozersk

he/him

Russian

Moscow

CreditAttribution: duozersk commented 28 April 2013 at 20:13

Mikhail,

Thanks for the report and patch... but this is "by design" - a user who has permission to edit the shown account has access to the uLogin tab (this would include user admins browsing other users accounts).
Don't really see a reason why you think this is a bug...

Thanks
AndyB

Comment #2

quotesBro CreditAttribution: quotesBro commented 1 May 2013 at 13:01

If some user does not have the permission 'use ulogin', he will see this tab and can open it, but can do nothing on this page. So I think it's a bug. And I thought it's a common practice in Drupal modules to define it's own access callback for profile tabs. Apologize if I am wrong.

Comment #3

duozersk

he/him

Russian

Moscow

CreditAttribution: duozersk commented 1 May 2013 at 15:46

Yeah, you are right... if someone without 'use ulogin' permission goes there then he can't really do anything, but he can see that he has a connected identity.

As for the practice to set a permission per profile tab - don't really know, might be so or might not, can't tell.

I tend to set it as "closed (works as designed)" as if you need to change it - you can always hook_menu_alter(), right? ;) Need to think of it over several days and then will make a decision.

Thanks
AndyB