This causes protection to fail when using http://drupal.org/project/me nodule for account edit aliases (user/me/edit instead of user//edit). The user account is not loaded in userprotect_form_alter. I see that in in hook_form_alter for user_profile_form there is $form['#uid'] which can be used instead. This would fix compatability with any form of user aliasing, not only the me module.
So instead of this:
account = user_load(array('uid' => arg(1)));
there would be this:
$account = user_load(array('uid' => $form['#uid']));
#uid is provided by core, see here:
http://api.drupal.org/api/function/user_edit_form/6
Other uses of arg(1) are:
- openid_user_add
- openid_user_delete_form
- userprotect_user_edit_access
- userprotect_user_delete_access
openid_user_add and openid_user_delete_form:
According to this page:
http://api.drupal.org/api/function/openid_user_delete_form/6
The uid will be provided in:
$form['uid']['#value']
But I don't know what to do with openid_user_add...
userprotect_user_edit_access and userprotect_user_delete_access:
I see that $account is already provided in the parameters to these functions, so why use arg(1) at all? I'm not sure how menu access callback work though. And perhaps this is not an issue because menu access callbacks are not called on the aliased but actual pages? That should work on hook_form_alter too, however...
Comment | File | Size | Author |
---|---|---|---|
#4 | uid.patch | 1.35 KB | jhl.verona |
Comments
Comment #1
TripleEmcoder CreditAttribution: TripleEmcoder commentedI also found a solution in issue #510866: Allow is_numeric(arg(1)) to function correctly with me.:
Comment #2
hunmonk CreditAttribution: hunmonk commentedthis is not a high priority issue for me, so it's doubtful i'll actively fix it any time soon. however, if you submit a quality patch which addresses all the issues you're describing, i'd be happy to commit it.
Comment #3
Anonymous (not verified) CreditAttribution: Anonymous commented+1
Comment #4
jhl.verona CreditAttribution: jhl.verona commentedI also would like to integrate the User Protect project into the Services project. Specifically the User Service. Though I have less stringent necessities than memfis - I'm only concerned with the
userprotect_form_alter
function's override ofuser_profile_form
itself. In this particular situation, the form is used at an URL which does not have theuser/%uid/edit
format.I have supplied a patch which avoids using the arg(1) value, where possible. The reasoning for this code is both logical and empirical.
Firstly, the core user_profile_form places the
$account
object in the form at$form['_account']['#value']
. On the contrary the$form['#uid']
value that memfis mentions, is not present in the 'Profile' tab.Secondly, using a sandbox with just the core
user
andprofile
modules enabled, I have empirically checked theuser/%uid/edit
page both for the 'Account' and 'Profile' tabs - in both cases the account object was present in the form.Thirdly, just to be absolutely sure (belt and braces) I test that if value is empty, the account is loaded using the arg(1) value, as before.
As for the use of arg(1) in the two openid forms, I can make no comment, as I have no knowledge of either the forms or the code for OpenID.
Finally, the use of arg(1) in the two access functions only affects whether a message is displayed or not, it does not affect the protection logic or its functionality.
Best regards,
John
P.S. Very useful module by the way, thank you for the hard work that you've done.
Comment #5
hunmonk CreditAttribution: hunmonk commentedthanks to everyone for their insight into this issue. i've committed fixes to 5.x-1.x-dev, 6.x-1.x-dev, and HEAD for *some* of these issues -- others are not really solvable in a clean fashion given drupal's current limitations. some details on the fixes: