diff options
| author | Dries Buytaert <dries@buytaert.net> | 2006-10-15 20:09:18 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2006-10-15 20:09:18 +0000 |
| commit | 1238ccd6d05a7fd112c726e097998d68e8da12d7 (patch) | |
| tree | 52e2be042935fbbdf288486cd17874248351bf97 | |
| parent | d692d438a36a6dede50813e01cf96155617c3f18 (diff) | |
| download | brdo-1238ccd6d05a7fd112c726e097998d68e8da12d7.tar.gz brdo-1238ccd6d05a7fd112c726e097998d68e8da12d7.tar.bz2 | |
- Patch #89323 by hunmonk: control access to mass operations.
| -rw-r--r-- | modules/user/user.module | 59 |
1 files changed, 36 insertions, 23 deletions
diff --git a/modules/user/user.module b/modules/user/user.module index 67d44aaa3..d83802e25 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -2090,19 +2090,6 @@ function user_admin_account_validate($form_id, $form_values) { function user_user_operations() { global $form_values; - $roles = user_roles(1); - unset($roles[DRUPAL_AUTHENTICATED_RID]); // Can't edit authenticated role. - - $add_roles = array(); - foreach ($roles as $key => $value) { - $add_roles['add_role-'. $key] = $value; - } - - $remove_roles = array(); - foreach ($roles as $key => $value) { - $remove_roles['remove_role-'. $key] = $value; - } - $operations = array( 'unblock' => array( 'label' => t('Unblock the selected users'), @@ -2112,27 +2099,53 @@ function user_user_operations() { 'label' => t('Block the selected users'), 'callback' => 'user_user_operations_block', ), - t('Add a role to the selected users') => array( - 'label' => $add_roles, - ), - t('Remove a role from the selected users') => array( - 'label' => $remove_roles, - ), 'delete' => array( 'label' => t('Delete the selected users'), ), ); + if (user_access('administer access control')) { + $roles = user_roles(1); + unset($roles[DRUPAL_AUTHENTICATED_RID]); // Can't edit authenticated role. + + $add_roles = array(); + foreach ($roles as $key => $value) { + $add_roles['add_role-'. $key] = $value; + } + + $remove_roles = array(); + foreach ($roles as $key => $value) { + $remove_roles['remove_role-'. $key] = $value; + } + + $role_operations = array( + t('Add a role to the selected users') => array( + 'label' => $add_roles, + ), + t('Remove a role from the selected users') => array( + 'label' => $remove_roles, + ), + ); + + $operations += $role_operations; + } + // If the form has been posted, we need to insert the proper data for role editing if necessary. if ($form_values) { $operation_rid = explode('-', $form_values['operation']); $operation = $operation_rid[0]; $rid = $operation_rid[1]; if ($operation == 'add_role' || $operation == 'remove_role') { - $operations[$form_values['operation']] = array( - 'callback' => 'user_multiple_role_edit', - 'callback arguments' => array($operation, $rid), - ); + if (user_access('administer access control')) { + $operations[$form_values['operation']] = array( + 'callback' => 'user_multiple_role_edit', + 'callback arguments' => array($operation, $rid), + ); + } + else { + watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING); + return; + } } } |