#192056 by effulgentsia, Dave Cohen, andypost, hswong3i, geodaniel, pwolanin, and dahacouk: Ensure user's raw login name is never output directly.

author: Angie Byron <webchick@24967.no-reply.drupal.org> 2009-11-01 21:26:44 +0000
committer: Angie Byron <webchick@24967.no-reply.drupal.org> 2009-11-01 21:26:44 +0000
commit: ca8eee7545f75c199bde0121bd6a0792d67c5b91 (patch)
tree: 5e805f30c93c7a005e0cb422dd0ea95ca849d84f /modules
parent: b882d991d01544fb458cb58614fdba4fab0997eb (diff)
download: brdo-ca8eee7545f75c199bde0121bd6a0792d67c5b91.tar.gz
brdo-ca8eee7545f75c199bde0121bd6a0792d67c5b91.tar.bz2
15 files changed, 51 insertions, 29 deletions
diff --git a/modules/blog/blog.module b/modules/blog/blog.module
index 0d4878d48..1198f27e2 100644
--- a/modules/blog/blog.module
+++ b/modules/blog/blog.module
@@ -27,7 +27,7 @@ function blog_user_view($account) {
     $account->content['summary']['blog'] =  array(
       '#type' => 'user_profile_item',
       '#title' => t('Blog'),
-      '#markup' => l(t('View recent blog entries'), "blog/$account->uid", array('attributes' => array('title' => t("Read !username's latest blog entries.", array('!username' => $account->name))))),
+      '#markup' => l(t('View recent blog entries'), "blog/$account->uid", array('attributes' => array('title' => t("Read !username's latest blog entries.", array('!username' => format_username($account)))))),
       '#attributes' => array('class' => array('blog')),
     );
   }
@@ -60,7 +60,7 @@ function blog_form(stdClass $node, $form_state) {
 function blog_view(stdClass $node, $build_mode) {
   if ((bool)menu_get_object()) {
     // Breadcrumb navigation.
-    drupal_set_breadcrumb(array(l(t('Home'), NULL), l(t('Blogs'), 'blog'), l(t("!name's blog", array('!name' => $node->name)), 'blog/' . $node->uid)));
+    drupal_set_breadcrumb(array(l(t('Home'), NULL), l(t('Blogs'), 'blog'), l(t("!name's blog", array('!name' => format_username($node))), 'blog/' . $node->uid)));
   }
   return $node;
 }
@@ -72,9 +72,9 @@ function blog_node_view(stdClass $node, $build_mode = 'full') {
   if ($build_mode != 'rss') {
     if ($node->type == 'blog' && arg(0) != 'blog' || arg(1) != $node->uid) {
       $links['blog_usernames_blog'] = array(
-        'title' => t("!username's blog", array('!username' => $node->name)),
+        'title' => t("!username's blog", array('!username' => format_username($node))),
         'href' => "blog/$node->uid",
-        'attributes' => array('title' => t("Read !username's latest blog entries.", array('!username' => $node->name))),
+        'attributes' => array('title' => t("Read !username's latest blog entries.", array('!username' => format_username($node)))),
       );
       $node->content['links']['blog'] = array(
         '#theme' => 'links',
diff --git a/modules/blog/blog.pages.inc b/modules/blog/blog.pages.inc
index 6936f54be..a605cfa1c 100644
--- a/modules/blog/blog.pages.inc
+++ b/modules/blog/blog.pages.inc
@@ -12,7 +12,7 @@
 function blog_page_user($account) {
   global $user;
 
-  drupal_set_title($title = t("@name's blog", array('@name' => $account->name)), PASS_THROUGH);
+  drupal_set_title($title = t("@name's blog", array('@name' => format_username($account))), PASS_THROUGH);
 
   $items = array();
 
@@ -123,7 +123,7 @@ function blog_feed_user($account) {
     ->execute()
     ->fetchCol();
 
-  $channel['title'] = t("!name's blog", array('!name' => $account->name));
+  $channel['title'] = t("!name's blog", array('!name' => format_username($account)));
   $channel['link'] = url('blog/' . $account->uid, array('absolute' => TRUE));
 
   node_feed($nids, $channel);
diff --git a/modules/blog/blog.test b/modules/blog/blog.test
index 597c549e8..c00a93399 100644
--- a/modules/blog/blog.test
+++ b/modules/blog/blog.test
@@ -38,7 +38,7 @@ class BlogTestCase extends DrupalWebTestCase {
 
     $this->drupalGet('blog/' . $this->big_user->uid);
     $this->assertResponse(200);
-    $this->assertTitle(t("@name's blog", array('@name' => $this->big_user->name)) . ' | Drupal', t('Blog title was displayed'));
+    $this->assertTitle(t("@name's blog", array('@name' => format_username($this->big_user))) . ' | Drupal', t('Blog title was displayed'));
     $this->assertText(t('You are not allowed to post a new blog entry.'), t('No new entries can be posted without the right permission'));
   }
 
@@ -50,8 +50,8 @@ class BlogTestCase extends DrupalWebTestCase {
 
     $this->drupalGet('blog/' . $this->own_user->uid);
     $this->assertResponse(200);
-    $this->assertTitle(t("@name's blog", array('@name' => $this->own_user->name)) . ' | Drupal', t('Blog title was displayed'));
-    $this->assertText(t('!author has not created any blog entries.', array('!author' => $this->own_user->name)), t('Users blog displayed with no entries'));
+    $this->assertTitle(t("@name's blog", array('@name' => format_username($this->own_user))) . ' | Drupal', t('Blog title was displayed'));
+    $this->assertText(t('@author has not created any blog entries.', array('@author' => format_username($this->own_user))), t('Users blog displayed with no entries'));
   }
 
   /**
@@ -139,7 +139,7 @@ class BlogTestCase extends DrupalWebTestCase {
     $this->drupalGet('node/' . $node->nid);
     $this->assertResponse(200);
     $this->assertTitle($node->title[FIELD_LANGUAGE_NONE][0]['value'] . ' | Drupal', t('Blog node was displayed'));
-    $this->assertText(t('Home ' . $crumb . ' Blogs ' . $crumb . ' @name' . $quote . 's blog', array('@name' => $node_user->name)), t('Breadcrumbs were displayed'));
+    $this->assertText(t('Home ' . $crumb . ' Blogs ' . $crumb . ' @name' . $quote . 's blog', array('@name' => format_username($node_user))), t('Breadcrumbs were displayed'));
 
     // View blog edit node.
     $this->drupalGet('node/' . $node->nid . '/edit');
@@ -180,7 +180,7 @@ class BlogTestCase extends DrupalWebTestCase {
 
     // Confirm the recent blog entries link goes to the user's blog page.
     $this->clickLink('View recent blog entries');
-    $this->assertTitle(t("@name's blog | Drupal", array('@name' => $user->name)), t('View recent blog entries link target was correct'));
+    $this->assertTitle(t("@name's blog | Drupal", array('@name' => format_username($user))), t('View recent blog entries link target was correct'));
 
     // Confirm a blog page was displayed.
     $this->drupalGet('blog');
@@ -191,7 +191,7 @@ class BlogTestCase extends DrupalWebTestCase {
 
     // Confirm a blog page was displayed per user.
     $this->drupalGet('blog/' . $user->uid);
-    $this->assertTitle(t("@name's blog | Drupal", array('@name' => $user->name)), t('User blog node was displayed'));
+    $this->assertTitle(t("@name's blog | Drupal", array('@name' => format_username($user))), t('User blog node was displayed'));
 
     // Confirm a blog feed was displayed.
     $this->drupalGet('blog/feed');
@@ -199,6 +199,6 @@ class BlogTestCase extends DrupalWebTestCase {
 
     // Confirm a blog feed was displayed per user.
     $this->drupalGet('blog/' . $user->uid . '/feed');
-    $this->assertTitle(t("@name's blog", array('@name' => $user->name)), t('User blog feed was displayed'));
+    $this->assertTitle(t("@name's blog", array('@name' => format_username($user))), t('User blog feed was displayed'));
   }
 }
diff --git a/modules/contact/contact.module b/modules/contact/contact.module
index 891992703..3ba19a55e 100644
--- a/modules/contact/contact.module
+++ b/modules/contact/contact.module
@@ -174,7 +174,7 @@ function contact_mail($key, &$message, $params) {
     '!subject' => $params['subject'],
     '!category' => isset($params['category']['category']) ? $params['category']['category'] : '',
     '!form-url' => url($_GET['q'], array('absolute' => TRUE, 'language' => $language)),
-    '!sender-name' => $params['sender']->name,
+    '!sender-name' => format_username($params['sender']),
     '!sender-url' => $params['sender']->uid ? url('user/' . $params['sender']->uid, array('absolute' => TRUE, 'language' => $language)) : $params['sender']->mail,
   );
 
@@ -194,7 +194,7 @@ function contact_mail($key, &$message, $params) {
     case 'user_mail':
     case 'user_copy':
       $variables += array(
-        '!recipient-name' => $params['recipient']->name,
+        '!recipient-name' => format_username($params['recipient']),
         '!recipient-edit-url' => url('user/' . $params['recipient']->uid . '/edit', array('absolute' => TRUE, 'language' => $language)),
       );
       $message['subject'] .= t('[!site-name] !subject', $variables, array('langcode' => $language->language));
diff --git a/modules/contact/contact.pages.inc b/modules/contact/contact.pages.inc
index 72603a39d..f3827083d 100644
--- a/modules/contact/contact.pages.inc
+++ b/modules/contact/contact.pages.inc
@@ -64,7 +64,7 @@ function contact_site_form($form, &$form_state) {
     '#type' => 'textfield',
     '#title' => t('Your name'),
     '#maxlength' => 255,
-    '#default_value' => $user->uid ? $user->name : '',
+    '#default_value' => $user->uid ? format_username($user) : '',
     '#required' => TRUE,
   );
   $form['mail'] = array(
@@ -180,7 +180,7 @@ function contact_personal_form($form, &$form_state, stdClass $recipient) {
     return drupal_access_denied();
   }
 
-  drupal_set_title(t('Contact @username', array('@username' => $recipient->name)), PASS_THROUGH);
+  drupal_set_title(t('Contact @username', array('@username' => format_username($recipient))), PASS_THROUGH);
 
   if (!$user->uid) {
     $form['#attached']['library'][] = array('system', 'cookie');
@@ -196,7 +196,7 @@ function contact_personal_form($form, &$form_state, stdClass $recipient) {
     '#type' => 'textfield',
     '#title' => t('Your name'),
     '#maxlength' => 255,
-    '#default_value' => $user->uid ? $user->name : '',
+    '#default_value' => $user->uid ? format_username($user) : '',
     '#required' => TRUE,
   );
   $form['mail'] = array(
diff --git a/modules/openid/openid.pages.inc b/modules/openid/openid.pages.inc
index 0091e33fa..5fef3bf37 100644
--- a/modules/openid/openid.pages.inc
+++ b/modules/openid/openid.pages.inc
@@ -28,7 +28,7 @@ function openid_authentication_page() {
  * Menu callback; Manage OpenID identities for the specified user.
  */
 function openid_user_identities($account) {
-  drupal_set_title($account->name);
+  drupal_set_title(format_username($account));
   drupal_add_css(drupal_get_path('module', 'openid') . '/openid.css');
 
   // Check to see if we got a response
diff --git a/modules/php/php.module b/modules/php/php.module
index c4e2dfb92..4208acbd0 100644
--- a/modules/php/php.module
+++ b/modules/php/php.module
@@ -105,7 +105,7 @@ print t(\'Welcome visitor! Thank you for visiting.\');
 <pre>
 global $user;
 if ($user->uid) {
-  print t(\'Welcome @name! Thank you for visiting.\', array(\'@name\' => $user->name));
+  print t(\'Welcome @name! Thank you for visiting.\', array(\'@name\' => format_username($user)));
 }
 else {
   print t(\'Welcome visitor! Thank you for visiting.\');
diff --git a/modules/profile/profile.module b/modules/profile/profile.module
index be5c8392e..55b398026 100644
--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -202,7 +202,7 @@ function profile_block_view($delta = '') {
     }
 
     if ($output) {
-      $block['subject'] = t('About %name', array('%name' => $account->name));
+      $block['subject'] = t('About %name', array('%name' => format_username($account)));
       $block['content'] = $output;
       return $block;
     }
diff --git a/modules/statistics/statistics.pages.inc b/modules/statistics/statistics.pages.inc
index c676a4f81..048b8fa09 100644
--- a/modules/statistics/statistics.pages.inc
+++ b/modules/statistics/statistics.pages.inc
@@ -83,7 +83,7 @@ function statistics_user_tracker() {
       $rows[] = array(array('data' => t('No statistics available.'), 'colspan' => 3));
     }
 
-    drupal_set_title($account->name);
+    drupal_set_title(format_username($account));
     $build['statistics_table'] = array(
       '#theme' => 'table',
       '#header' => $header,
diff --git a/modules/system/system.api.php b/modules/system/system.api.php
index bcb9ec572..36a06df8d 100644
--- a/modules/system/system.api.php
+++ b/modules/system/system.api.php
@@ -1165,7 +1165,7 @@ function hook_mail($key, &$message, $params) {
   $context = $params['context'];
   $variables = array(
     '%site_name' => variable_get('site_name', 'Drupal'),
-    '%username' => $account->name,
+    '%username' => format_username($account),
   );
   if ($context['hook'] == 'taxonomy') {
     $object = $params['object'];
@@ -2665,5 +2665,27 @@ function hook_url_outbound_alter(&$path, &$options, $original_path) {
 }
 
 /**
+ * Alter the username that is displayed for a user.
+ *
+ * Called by format_username() to allow modules to alter the username that's
+ * displayed. Can be used to ensure user privacy in situations where
+ * $account->name is too revealing.
+ *
+ * @param &$name
+ *   The string that format_username() will return.
+ *
+ * @param $account
+ *   The account object passed to format_username().
+ *
+ * @see format_username()
+ */
+function hook_username_alter(&$name, $account) {
+  // Display the user's uid instead of name.
+  if (isset($account->uid)) {
+    $name = t('User !uid', array('!uid' => $account->uid));
+  }
+}
+
+/**
  * @} End of "addtogroup hooks".
  */
diff --git a/modules/toolbar/toolbar.module b/modules/toolbar/toolbar.module
index 4868e78e0..55f89df12 100644
--- a/modules/toolbar/toolbar.module
+++ b/modules/toolbar/toolbar.module
@@ -101,7 +101,7 @@ function toolbar_build() {
   if ($user->uid) {
     $links = array(
       'account' => array(
-        'title' => t('Hello <strong>@username</strong>', array('@username' => $user->name)),
+        'title' => t('Hello <strong>@username</strong>', array('@username' => format_username($user))),
         'href' => 'user',
         'html' => TRUE,
       ),
diff --git a/modules/tracker/tracker.pages.inc b/modules/tracker/tracker.pages.inc
index e4cd1d16f..75faaa76b 100644
--- a/modules/tracker/tracker.pages.inc
+++ b/modules/tracker/tracker.pages.inc
@@ -19,7 +19,7 @@ function tracker_page($account = NULL, $set_title = FALSE) {
       // When viewed from user/%user/track, display the name of the user
       // as page title -- the tab title remains Track so this needs to be done
       // here and not in the menu definition.
-      drupal_set_title($account->name);
+      drupal_set_title(format_username($account));
     }
   }
   else {
diff --git a/modules/user/user.api.php b/modules/user/user.api.php
index aca316ac2..c1e04ad53 100644
--- a/modules/user/user.api.php
+++ b/modules/user/user.api.php
@@ -320,7 +320,7 @@ function hook_user_view($account) {
     $account->content['summary']['blog'] =  array(
       '#type' => 'user_profile_item',
       '#title' => t('Blog'),
-      '#markup' => l(t('View recent blog entries'), "blog/$account->uid", array('attributes' => array('title' => t("Read !username's latest blog entries.", array('!username' => $account->name))))),
+      '#markup' => l(t('View recent blog entries'), "blog/$account->uid", array('attributes' => array('title' => t("Read !username's latest blog entries.", array('!username' => format_username($account)))))),
       '#attributes' => array('class' => array('blog')),
     );
   }
diff --git a/modules/user/user.module b/modules/user/user.module
index b35d10268..d8a60d8d3 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1251,7 +1251,7 @@ function template_preprocess_user_picture(&$variables) {
       $filepath = variable_get('user_picture_default', '');
     }
     if (isset($filepath)) {
-      $alt = t("@user's picture", array('@user' => $account->name ? $account->name : variable_get('anonymous', t('Anonymous'))));
+      $alt = t("@user's picture", array('@user' => format_username($account)));
       if (module_exists('image') && $style = variable_get('user_picture_style', '')) {
         $variables['user_picture'] = theme('image_style', array('style_name' => $style, 'path' => $filepath, 'alt' => $alt, 'title' => $alt, 'attributes' => array(), 'getsize' => FALSE));
       }
@@ -1632,7 +1632,7 @@ function user_uid_optional_to_arg($arg) {
  * Menu item title callback - use the user name.
  */
 function user_page_title($account) {
-  return $account->name;
+  return format_username($account);
 }
 
 /**
diff --git a/modules/user/user.test b/modules/user/user.test
index 1220e6c54..67d885722 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -701,7 +701,7 @@ class UserPictureTestCase extends DrupalWebTestCase {
         // user's profile page.
         $text = t('The image was resized to fit within the maximum allowed dimensions of %dimensions pixels.', array('%dimensions' => $test_dim));
         $this->assertRaw($text, t('Image was resized.'));
-        $alt = t("@user's picture", array('@user' => $this->user->name));
+        $alt = t("@user's picture", array('@user' => format_username($this->user)));
         $style = variable_get('user_picture_style', '');
         $this->assertRaw(image_style_url($style, $pic_path), t("Image is displayed in user's edit page"));
author	Angie Byron <webchick@24967.no-reply.drupal.org>	2009-11-01 21:26:44 +0000
committer	Angie Byron <webchick@24967.no-reply.drupal.org>	2009-11-01 21:26:44 +0000
commit	ca8eee7545f75c199bde0121bd6a0792d67c5b91 (patch)
tree	5e805f30c93c7a005e0cb422dd0ea95ca849d84f /modules
parent	b882d991d01544fb458cb58614fdba4fab0997eb (diff)
download	brdo-ca8eee7545f75c199bde0121bd6a0792d67c5b91.tar.gz brdo-ca8eee7545f75c199bde0121bd6a0792d67c5b91.tar.bz2