diff options
| -rw-r--r-- | modules/user/user.module | 14 | ||||
| -rw-r--r-- | modules/user/user.test | 33 |
2 files changed, 44 insertions, 3 deletions
diff --git a/modules/user/user.module b/modules/user/user.module index e8a0cd18d..e92ce8973 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -849,9 +849,10 @@ function user_search_execute($keys = NULL) { // Replace wildcards with MySQL/PostgreSQL wildcards. $keys = preg_replace('!\*+!', '%', $keys); $query = db_select('users')->extend('PagerDefault'); - $query->fields('users', array('name', 'uid', 'mail')); + $query->fields('users', array('name', 'uid')); if (user_access('administer users')) { // Administrators can also search in the otherwise private email field. + $query->fields('users', array('mail')); $query->condition(db_or()-> condition('name', '%' . db_like($keys) . '%', 'LIKE')-> condition('mail', '%' . db_like($keys) . '%', 'LIKE')); @@ -862,8 +863,15 @@ function user_search_execute($keys = NULL) { $result = $query ->limit(15) ->execute(); - foreach ($result as $account) { - $find[] = array('title' => $account->name . ' (' . $account->mail . ')', 'link' => url('user/' . $account->uid, array('absolute' => TRUE))); + if (user_access('administer users')) { + foreach ($result as $account) { + $find[] = array('title' => $account->name . ' (' . $account->mail . ')', 'link' => url('user/' . $account->uid, array('absolute' => TRUE))); + } + } + else { + foreach ($result as $account) { + $find[] = array('title' => $account->name, 'link' => url('user/' . $account->uid, array('absolute' => TRUE))); + } } return $find; } diff --git a/modules/user/user.test b/modules/user/user.test index 903fd16bf..78e121672 100644 --- a/modules/user/user.test +++ b/modules/user/user.test @@ -1585,3 +1585,36 @@ class UserTokenReplaceTestCase extends DrupalWebTestCase { } } } + +/** + * Test user search. + */ +class UserUserSearchTestCase extends DrupalWebTestCase { + public static function getInfo() { + return array( + 'name' => 'User search', + 'description' => 'Testing that only user with the right permission can see the email address in the user search.', + 'group' => 'User', + ); + } + + function testUserSearch() { + $user1 = $this->drupalCreateUser(array('access user profiles', 'search content', 'use advanced search')); + $this->drupalLogin($user1); + $keys = $user1->mail; + $edit = array('keys' => $keys); + $this->drupalPost('search/user/', $edit, t('Search')); + $this->assertNoText($keys); + $this->drupalLogout(); + + $user2 = $this->drupalCreateUser(array('administer users', 'access user profiles', 'search content', 'use advanced search')); + $this->drupalLogin($user2); + $keys = $user2->mail; + $edit = array('keys' => $keys); + $this->drupalPost('search/user/', $edit, t('Search')); + $this->assertText($keys); + $this->drupalLogout(); + } +} + + |