#192692 by jrbeeman and mfer: (security) protect profile category page menu items with the visibility settings already available

2 files changed, 21 insertions, 1 deletions

diff --git a/modules/profile/profile.module b/modules/profile/profile.module
index b3346925c..8f0458984 100644
--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -443,11 +443,29 @@ function profile_categories() {
   $result = db_query("SELECT DISTINCT(category) FROM {profile_fields}");
   $data = array();
   while ($category = db_fetch_object($result)) {
-    $data[] = array('name' => $category->category, 'title' => $category->category, 'weight' => 3);
+    $data[] = array(
+      'name' => $category->category,
+      'title' => $category->category,
+      'weight' => 3,
+      'access callback' => 'profile_category_access',
+      'access arguments' => array($category->category)
+    );
   }
   return $data;
 }
 
+/*
+ * Menu item access callback - check if a user has access to a profile category.
+ */
+function profile_category_access($category) {
+  if (user_access('administer users')) {
+    return TRUE;
+  }
+  else {
+    return db_result(db_query("SELECT COUNT(*) FROM {profile_fields} WHERE category = '%s' AND visibility <> %d", $category, PROFILE_HIDDEN));
+  }
+}
+
 /**
  * Process variables for profile-block.tpl.php.
  *
diff --git a/modules/user/user.module b/modules/user/user.module
index 88ffcabee..caf301411 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1072,6 +1072,8 @@ function user_menu() {
           'title arguments' => array($category['title']),
           'page callback' => 'user_edit',
           'page arguments' => array(1, 3),
+          'access callback' => isset($category['access callback']) ? $category['access callback'] : TRUE,
+          'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(),
           'type' => MENU_LOCAL_TASK,
           'weight' => $category['weight'],
           'file' => 'user.pages.inc',