I enabled the "personal contact form" under "My Account" > "Edit".
I clicked on the link that led to user/4/contact
It says "Access denied
You are not authorized to access this page."

I don't see any permissions for the personal contact form.
The account administrator can see this form at user/4/contact just like normal.

Files: 
CommentFileSizeAuthor
#72 345541-72-remove-contact-link.patch2.01 KBdcam
PASSED: [[SimpleTest]]: [MySQL] 40,323 pass(es).
[ View ]
#70 345541-70-remove-contact-link.patch2.01 KBdcam
FAILED: [[SimpleTest]]: [MySQL] 40,369 pass(es), 0 fail(s), and 3 exception(s).
[ View ]
#63 remove-link-345541-63.patch2.01 KBkiamlaluno
PASSED: [[SimpleTest]]: [MySQL] 47,999 pass(es).
[ View ]
#57 contact-remove-confusing-urls-345541-57.git_.patch2.05 KBgisle
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch contact-remove-confusing-urls-345541-57.git__0.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#57 gisle1.png13.38 KBgisle
#57 gisle2.png13.71 KBgisle
#57 gisle3.png39.94 KBgisle
#51 403-d6.gif58.16 KBvj_pdx
#20 345541-contact-account-form-link-D7.patch5.83 KBDave Reid
Failed: Failed to apply patch.
[ View ]
#9 345541-user-account-contact-form-link-D7.patch1.7 KBDave Reid
Passed: 10931 passes, 0 fails, 0 exceptions
[ View ]
#6 345541-user-account-contact-form-link-D7.patch1.95 KBDave Reid
Passed: 10931 passes, 0 fails, 0 exceptions
[ View ]

Comments

Status:Active» Closed (works as designed)

You cannot access your own contact form.

Title:Access denied to personal contact formLet users see and use their personal contact form!!
Category:bug» feature

Thanks for the info.

A lot of users are going to click that link and get the error. I'll put removing that link on the list of things for a designer/themer to edit.

Plus, I'll also have to add a emphasized note that clearly explains that only other users will be able to see your contact form.

Even after those changes I'm sure to get emails about "my contact form doesn't show up".

Why not just let them see and use their own form?

Try logging in as one of those users. You shouldn't be able to see the link. On their own user account, users do not see a 'Contact' tab, and should not see any menu item for their own contact form.

If you are a user that has the permission 'administer site-wide contact form,' or you are user #1, you have access to see your own contact form, or anyone else's contact forms.

A user cannot access their contact form because I could change my account's e-mail address to anything I want, and then use my contact form to spam whatever e-mail address I want.

I got to that link while logged in as a normal authenticated user (not user #1).

It's on the description text on the account edit page. It goes like this:
[checkbox] "Personal contact form

Allow other users to contact you by e-mail via your personal contact form. Note that while your e-mail address is not made public to other members of the community, privileged users such as site administrators are able to contact you even if you choose not to enable this feature."

The "your personal contact form" part is a link that leads to the page with "Access denied" on it.

Title:Let users see and use their personal contact form!!Link to contact form in user account leads to 403.
Version:6.6» 7.x-dev
Category:feature» bug
Status:Closed (works as designed)» Active

Aha! Now I know what link you're talking about! I would def. classify that as a bug. Working on a patch for 7.x first, then will backport.

Status:Active» Needs review
StatusFileSize
new1.95 KB
Passed: 10931 passes, 0 fails, 0 exceptions
[ View ]

First attempt, I think there may be a better way to do this, but it works right now.

Assigned:Unassigned» Dave Reid

I can't see a better way to do that, and wonder if we need a link there at all? Seems like its been there since contact.module was first committed.

StatusFileSize
new1.7 KB
Passed: 10931 passes, 0 fails, 0 exceptions
[ View ]

Yeah I might think it's just better to remove the link. If the user has access to their own contact form, they can see the dang "Contact" tab on their user page. There's no need to have that link - it's just confusing.

I agree, removing the link is the best way to go.

There is a big usability issue here, very similar to #91663: Permission of text format is not checked when editing an entity and instead reset to something a user can use..

While we are at it, why not making sure that the user can always see its own "contact" tab, but simply disable the form in there? (adding a '#access' to the submit link would be more than enough... and that's nearly a one line fix).

Damien, should we put a drupal_set_message('You can not use your own contact form.')?

@Dave: that's a question to ask to the usability team. I personally think it would be nice, but I would rather embed it in the form (a '#type' => 'markup' element), because form elements can be form_altered, while drupal_set_message() can't.

Status:Needs review» Needs work

Back to CNW.

Dave,

I have noticed this problem in D6.9 still. Basically - that text needs to not link to a spot that will be permission denied for all but the administrators.

Any chance we can get this patch into D6.10?

One more note - The default notification email template for new accounts in D6 also links users to their personal contact form which gives them an access denied. Perhaps that should be changed as well.

Thanks!

Is there another active issue on this?

Is there a 6.x fix or patch yet. Just started allowing users and already getting mass emails about this problem.

Status:Needs work» Needs review
Issue tags:+needs backport to D6, +Needs usability review, +needs backport to D5
StatusFileSize
new5.83 KB
Failed: Failed to apply patch.
[ View ]

Revised patch:
- Removes the link to the user's own contact form in their profile.
- Changes the access function for all personal contact forms to not check if the current and contacted user are the same
- If the current and contacted user are the same users, it will display a warning-style message at the top of the personal contact form that says "For security reasons, you cannot use your own contact form."

Can post screenshots shortly.

I am puzzled about this solution. Re your three bullet points:

1) contacting your self might be pointless, but it is not inherently irrational. In fact, in order to test a site's email capabilities, it might be a sensible thing to do. Fundamental programming principle: never ban anything just because it seems pointless, only ban the irrational. (Example: I was getting infinite loops in the sort function from an early Microsoft C compiler every Sunday. Sunday there were no new items and thus nothing to sort. The library assumed that no one would ever sort nothing, and used an algorithm that infinite-looped. So special tests had to be inserted into the logic to skip the sort of no items. Smart way: no (or 1) items are always sorted, do nothing.) "X is pointless" is usually a failure of one's own imagination, not a valid reason to ban something.

2) This is correct.

3) If you say so, but I cannot imagine any earthly security reason for preventing someone emailing themself. I would very much appreciate being filled in on this, as obviously I am missing something of significance.

A few more thoughts. I experimented with the code in D6, and discovered that if I also removed the test for user 0, the algorithm fell through and gave a "You need to provide a valid e-mail address to contact other users. Please update your user information and try again" message. Why not add code in this case to actually put a 'return address' box on the form and then allow it? That way, the site admin can choose whether to permit anonymous emailings or not. It might also be good to introduce another permission "access other site members contact form" as opposed to "access site-wide contact form" to control this, so the admin can choose with rationale something like "I am prepared to tolerate anonymous emails, but I don't want my readers pestered."

I would do this myself, but I don't know how to make the requisite return address box appear. And there is one problem, the hourly email limit. With anonymous users this would have to be run off something like the IP address of the user.

@RTH
@21: If you register for a Drupal site and then change your e-mail address in your user account form, you could then use your own contact form to send spam to unwilling addresses. That is why it is not allowed. If ever the time comes that Drupal does force users to validate changed e-mail addresses, I'm sure we could open this restriction up.
@22: Personal contact forms can only be used by registered users. You attempted to use it as an anonymous user, which it was not meant to do. Please see #58224: Allow anonymous users access to a members personal contact form for that issue. Let's keep things separate.

Thanks Dave.

Re @21: All someone has to do is open two accounts under different aliases, and then spam one from the other. It seems this is an unavoidable security problem, not one that exists solely from allowing people to email themselves. The other measure you mention, forcing users to validate changed email addresses, would seem to be the only way to block the security hole.

Re @22: Thanks for that, I wasn't aware of the other issue. In that case, while the other issue is being discussed, I suggest doing what I have done locally: removed the condition preventing user 0 seeing an email link (this causes the "You need to provide a valid e-mail address..." message), but then adding a new message in front of that one, testing for user 0 and saying something like "You must log in to send email to other users." By doing this, the fact that email is possible if you log in becomes visible and gives people a reason for registering on your site.

changing things

@RTH: If a user opens a second account, they have to verify the e-mail used for their new account as well, so that doesn't work. I'm not going to do anything about checking user uid 0 because that changes everything about this issue and makes things more complex. Anything about that should be discussed in #58224: Allow anonymous users access to a members personal contact form. If you check out the patches in that issue you will see how we are solving the problem you are describing. Please keep this issue to *only* about improving the error message as is. Let's not derail an easy fix issue.

Thanks Dave. I don't understand your remark about two user logins. As I understand it, the security hole is: User opens account, changes email address, then emails "himself" to send spam. Is that correct? If so, why cannot a user open account A and account B, change the email address for account B, and use account A to spam the new unverified target of B? I am missing why this security hole exists only in the case where a user may email himself.

Status:Needs review» Needs work

The last submitted patch failed testing.

Maybe this fix would get into core quicker if the code style improvements went into a separate issue? It's hard to spot the actual code changes.. :)

I'm not sure the spam problem is all that severe, especially with the flood constraint. But the harder it is to spam then the less it will happen (people will look for easier ways). Being able to view your own contact form would be a "nice to have" though, especially for less confident users who might find it reassuring to see what they are letting themselves in for ... perhaps disable the "Send e-mail" button and output a short message explaining why it is disabled.

I agree, the main problem is the visibility of the "your personal contact form" link in the description text under the "Personal contact form" check box for users that do not have the "administer site-wide contact form" permission.

Removing the link would solve this issue. Moving everything else into a separate issue is a good idea.

Please remove the link from 6.x.

Is there some alternate way around this issue until this gets fixed?
How can I get rid of the "your personal contact form" link in 6.14?

@Dinornis and anyone else looking for a fix till then: form_alter

<?php
function modulename_form_user_profile_form_alter(&$form, $form_state) {
   
$form['contact']['contact']['#description'] = t('Allow other users to contact you via a personal contact form which keeps your e-mail address hidden. Note that some privileged users such as site administrators are still able to contact you even if you choose to disable this feature.');
}
?>

where modulename is a name of a module. (I assume there's a tutorial somewhere on how to make a simply module).

Sorry for cluttering the issue; if I used the contact form to contact him someone would probably respond anyway.

Just to note that #601250: Allow anonymous users to use personal contact forms has been committed, superseding #58224: Allow anonymous users access to a members personal contact form.

If you do give anon users permission to access/use members' contact forms then it becomes even more of an oddity that members can't in general access their own and are simply presented with an access denied message.

It seems the most obvious solution is to remove the link in the email. Why send out a link that the user can't visit? That's a bad user experience.

Please forgive the noobiness of this question, but how do I edit the email template that the contact form sends out? I've been clicking through the admin menus forever, and I can't find it anywhere.

Hi Dave,
I accidentally duplicate posted in #661060: Dead link generation with contact.module?, but find here that the question, while thoroughly discussed, has not been resolved for D6.

Is there a way to simply remove the 403 link from the form in D6 without writing a new module or hacking/patching core?

All other usability issues aside (imho), just eliminating the source of site-is-broken confusion for the end-user is the best starting point (and possibly the best ending point, for D6 at least).

Steve

Other than by css? Probably not to my knowledge

It's really easy to do it n a module, I'd suggest just to do that :>

<?php
function blocked_form_user_profile_form_alter(&$form, $form_state) {
   
$form['contact']['contact']['#description'] = t('Allow other users to contact you via a personal contact form which keeps your e-mail address hidden. Note that some privileged users such as site administrators are still able to contact you even if you choose to disable this feature.');
}
?>

(from http://github.com/hefox/blocked)

My suggestion is to change the functionality of the contact form when it is your own: let it include a destination ajax field that allows you to choose one of the users that have their contact form enabled (except yourself). That way the Contact remains functional (allowing to mail others that permit it) and at the same time it avoids mailing yourself. That way your own contact form should always be active to enable contacting others.

I have the same problem with a new community site on Drupal 6.15. After a copule of day a user told me he was puzzled to have got "access denied" on his own personal contac form from his "my account" page.

Version:7.x-dev» 6.9

this forbidden link is also in every email message sent with the personal contact form:

the default text says:

[addressedUser],

[sendingUser] (http://sitename.com/user/[sendingUser]) has sent you a message via your contact form (http://sitename.com/user/[addressedUserID]/contact) at sitename.

that emailed link is forbidden to the addressed user -- as it's their own contact form -- and should be removed from the message.

thanks.

Title:Link to contact form in user account leads to 403.Link to contact form in user account and e-mails leads to 403.
Version:6.9» 7.x-dev

Please don't change the version unless you know what you're doing. Needs to be fixed in D7 first.

sorry -- version change wasn't intentional.

/jt

for those that need this now, rather than later, and dont want to hack core, the d6 quick-fix for the faulty email text is to use string overrides. Here is a one-liner that does just that... put it at the bottom of your settings.php file.

<?php
$conf
['locale_custom_strings_en']['!name (!name-url) has sent you a message via your contact form (!form-url) at !site.'] = '!name (!name-url) has sent you a message via your contact form at !site.';
?>

The settings.php line throws errors in D6 for me.

Is there another option for just removing the link from the auto-generated email, and if not can someone please walk me through hacking the core?

@Callatya: use only the line of code between the <?php and ?> (ie dont include the <?php or ?> in your settings.php file), its used here only for syntax highlighting purposes.

Why was this changed 7.x from 6.x? It still exists in 6.x.

Why was this changed 7.x from 6.x? It still exists in 6.x.

It will be fixed in 7 then back ported to 6/5, but 7 gets the ticket, which is generally the case.

(Anyhow, was looking for an excuse to say: there's an issue that is similar, if you edit your email and try to set it to an other user's email, it gives you that "Did you forget your password?" message linking to 403-ed user/pass >.O. Mentioning it here so don't forget, still looking to see if there's an existing issue queue post.).

subscribe

StatusFileSize
new58.16 KB

Attaching a screenshot, Drupal 6.19...

I'm assuming the image attached in #51 documents the error described in #49 somehow?? because the the url doesnt say user/X/contact, which should be a different issue than this one.

The issue in this thread is specifically that the link to your own contact form page in the email sent to you when someone sends you a message via the contact form gives you an access denied error if you're logged in to your account. Lets stay on topic here.

Would love to see a patch for d7 (has it been addressed yet? does anyone know?) so we can then backport to d6 and squash this #wtf usability issue in core.

And can you tell me how to completely hide this that users see when editing their account ? It is useless for an Ubercart shop:

Contact settings
Personal contact form
Allow other users to contact you by e-mail via your personal contact form. Note that while your e-mail address is not made public to other members of the community, privileged users such as site administrators are able to contact you even if you choose not to enable this feature.

Thank your for your help.

@make-online-shop:

Your suppor requests would be better served in the forums or on the support mailing list, this issue exists for fixing bugs in the code. See the Community section for more info on various ways to get help.

I'm no Drupal master but I did manage to make a module for Drupal 6 (tested on 6.20) that implements the solution from comment #32. For anyone like me who is new at making a custom module, I uploaded it to my server and it's located here: http://rowdyrabbit.com/customdrupalmodules/contactzzz.tar.gz

This only solves the problem on the edit user page but doesn't solve the email problem. The email problem was successfully fixed by adding the line found in comment #43 to my settings.php.

Version:7.x-dev» 8.x-dev

I guess that this issue needs now to be fixed in Drupal 8, first.

Status:Needs work» Needs review
StatusFileSize
new39.94 KB
new13.71 KB
new13.38 KB
new2.05 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch contact-remove-confusing-urls-345541-57.git__0.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

I am puzzled by this not yet being resolved. I think the required change is trivial and has already been mentioned several time in this thread. The problem is that the contact module automatically inserts a link to the users own contact page in the users contact settings form and in email messages sent the user when others uses the contact form. The link is unusable for ordinary users since there is a policy against non-admin users having access to their own contact form. Also there is not much point in giving such access anyway - users don't need to contact themselves.

I've created at patch for D7 based upon the 7.x branch that I think solves the issue (it is basically the same as already suggested). The patch is attached to this message and I hope someone is able to review it. I think it applies cleanly to the current 7.15 core. However, this is the first patch I submit, so please be gentle if I've not followed the correct procedure for submitting it, or made other mistakes.

To document the issue, three screenshots are attached (I've noticed the issue is tagged with "Needs screenshot".

  1. The first shows the confusing link in the contact settings form.
  2. The second shows the confusing link in the body of email sent using the contact form.
  3. The third shows the result of clicking on the link to one's own contact form (Access denied)

Issue tags:+needs backport to D7

The last submitted patch, contact-remove-confusing-urls-345541-57.git_.patch, failed testing.

Status:Needs review» Needs work

OK, test failed - fair enough. Can some gentle person tells me how I goofed up with this patch (it applied cleanly when I tested it on my site).

"Ensure the patch applies to the tip of the chosen code-base"
http://qa.drupal.org/pifr/test/359223#pifr-steps

Perhaps you didn't make the patch relative to the contact.module directory? Wish I could help more.

Version:8.x-dev» 7.x-dev
Status:Needs work» Needs review

The problem is that issue's "Version" field (currently 8.x-dev) needs to coincide with the patch... you can see this in the test log, that it used version 8.x to apply the patch, which obviously wouldn't apply cleanly.

                    [repository] => Array
                        (
                            [type] => git
                            [url] => git://git.drupal.org/project/drupal.git
                        )
                    [vcs_identifier] => 8.x

The standard coding practice dictates that the best option is to create a patch for Drupal 8, and then we could create a backport for drupal 7 (potentially using your patch in #57 as a guide or point of reference. I'll temporarily set this back to "7.x-dev" and retest (just to see if the test passes or not, so as to keep gisle motivated to keep working on it for D8, if they so choose ;)

After the test result comes up, this should be set back to "8.x-dev", and "needs work".

Version:7.x-dev» 8.x-dev
Status:Needs review» Needs work

Hrm. apparently its not as easy as switching the version number and resetting to needs review, as this did nothing to trigger a re-test, (or maybe I just didnt wait long enough?)

anyway, switching it back to d8, needs work. Please provide a patch against d8.

Status:Needs work» Needs review
StatusFileSize
new2.01 KB
PASSED: [[SimpleTest]]: [MySQL] 47,999 pass(es).
[ View ]

This is the patch corrected for Drupal 8.

Issue tags:-needs backport to D5

I am cleaning the tags, as the code will not back-ported to Drupal 5.

This trivial issue has remained open for 3 years and 47 weeks!

IMHO, good patches exists for at least D7 and D8. But there has been at least two minor releases of D7 core since I became aware of the issue, and the existing patch is yet not merged into the dev branch.

I think that switching it to version 8.x-dev in comment #56 did not help, as very few people run D8, which means that there are few reviewers around, making it less likely that the patch gets to RTBC status.

I've been told that it need to be fixed in D8 first, then backported to D7, but that does not seem to happen.

I do, of course, have the patch. So I patch every minor release before updating my sites. But having a patch is not the same as having it in core. Patching means that I can't use automatic updates, and that I can't provide translations at http://localize.drupal.org.

This issue seems so trivial. Can somebody with more insight in the process than me do whatever is required to get this fixed?

Patches need to go into the highest applicable branch, and so issues should be associated with that branch (8.x). What most people do, I think, is set up a test 8.x install (and reinstall every so often as head to head isn't supported) to test patches.

Anyhow, patch applies and removes the link from the email and edit form.

In my opinion, it makes sense to do this instead of providing the form -- simpler and cleaner. I see the advantage of having the form, but not worth the extra logic.

Status:Needs review» Reviewed & tested by the community
Issue tags:-Needs screenshot, -API clean-up

Ok, I've downloaded and installed 8.x in order to test the patch in #63. (About time to get my feet wet with 8.x anyway.)

Patch in #63 applied cleanly to the now current version (SHA-1: 026508fb21fb29c0aeb734f1a3f1774bf38cd6db) of the 8.x branch.

It solves the bug by removing the link from the email and edit form. I agree with hefox #66 that this provides a simple and clean solution to the issue.

I am changing status to RTBC and cross my fingers, hoping this will make it into the next release.

I also removed the Needs screenshot tag (see #57 for screenshots).
I also removed the API cleanup tag. I see no need to clean up the API with this solution.

#63: remove-link-345541-63.patch queued for re-testing.

Version:8.x-dev» 7.x-dev
Status:Reviewed & tested by the community» Patch (to be ported)

Nearly asked for tests for this, but it's sufficiently trivial I don't think it needs explicit test coverage. Committed/pushed to 8.x., moving to 7.x for backport.

Assigned:Dave Reid» Unassigned
Status:Patch (to be ported)» Needs review
StatusFileSize
new2.01 KB
FAILED: [[SimpleTest]]: [MySQL] 40,369 pass(es), 0 fail(s), and 3 exception(s).
[ View ]

Backported #63 to D7.

Status:Needs review» Needs work

The last submitted patch, 345541-70-remove-contact-link.patch, failed testing.

Status:Needs work» Needs review
StatusFileSize
new2.01 KB
PASSED: [[SimpleTest]]: [MySQL] 40,323 pass(es).
[ View ]

Fixed the error in #70.