diff options
author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-11-19 11:24:11 +0000 |
---|---|---|
committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-11-19 11:24:11 +0000 |
commit | b0676c8f27d75d4b4887de37c92a152386a3a740 (patch) | |
tree | c0d7d0a0177c874e5c3f6f45406322b936818cef /modules | |
parent | c40af9443d141d117aac0b27bfeef6b3f5792b1d (diff) | |
download | brdo-b0676c8f27d75d4b4887de37c92a152386a3a740.tar.gz brdo-b0676c8f27d75d4b4887de37c92a152386a3a740.tar.bz2 |
#192692 by jrbeeman and mfer: (security) protect profile category page menu items with the visibility settings already available
Diffstat (limited to 'modules')
-rw-r--r-- | modules/profile/profile.module | 20 | ||||
-rw-r--r-- | modules/user/user.module | 2 |
2 files changed, 21 insertions, 1 deletions
diff --git a/modules/profile/profile.module b/modules/profile/profile.module index b3346925c..8f0458984 100644 --- a/modules/profile/profile.module +++ b/modules/profile/profile.module @@ -443,11 +443,29 @@ function profile_categories() { $result = db_query("SELECT DISTINCT(category) FROM {profile_fields}"); $data = array(); while ($category = db_fetch_object($result)) { - $data[] = array('name' => $category->category, 'title' => $category->category, 'weight' => 3); + $data[] = array( + 'name' => $category->category, + 'title' => $category->category, + 'weight' => 3, + 'access callback' => 'profile_category_access', + 'access arguments' => array($category->category) + ); } return $data; } +/* + * Menu item access callback - check if a user has access to a profile category. + */ +function profile_category_access($category) { + if (user_access('administer users')) { + return TRUE; + } + else { + return db_result(db_query("SELECT COUNT(*) FROM {profile_fields} WHERE category = '%s' AND visibility <> %d", $category, PROFILE_HIDDEN)); + } +} + /** * Process variables for profile-block.tpl.php. * diff --git a/modules/user/user.module b/modules/user/user.module index 88ffcabee..caf301411 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -1072,6 +1072,8 @@ function user_menu() { 'title arguments' => array($category['title']), 'page callback' => 'user_edit', 'page arguments' => array(1, 3), + 'access callback' => isset($category['access callback']) ? $category['access callback'] : TRUE, + 'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(), 'type' => MENU_LOCAL_TASK, 'weight' => $category['weight'], 'file' => 'user.pages.inc', |