From 1238ccd6d05a7fd112c726e097998d68e8da12d7 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Sun, 15 Oct 2006 20:09:18 +0000
Subject: - Patch #89323 by hunmonk: control access to mass operations.

---
 modules/user/user.module | 59 +++++++++++++++++++++++++++++-------------------
 1 file changed, 36 insertions(+), 23 deletions(-)

(limited to 'modules/user/user.module')

diff --git a/modules/user/user.module b/modules/user/user.module
index 67d44aaa3..d83802e25 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -2090,19 +2090,6 @@ function user_admin_account_validate($form_id, $form_values) {
 function user_user_operations() {
   global $form_values;
 
-  $roles = user_roles(1);
-  unset($roles[DRUPAL_AUTHENTICATED_RID]);  // Can't edit authenticated role.
-
-  $add_roles = array();
-  foreach ($roles as $key => $value) {
-    $add_roles['add_role-'. $key] = $value;
-  }
-
-  $remove_roles = array();
-  foreach ($roles as $key => $value) {
-    $remove_roles['remove_role-'. $key] = $value;
-  }
-
   $operations = array(
     'unblock' => array(
       'label' => t('Unblock the selected users'),
@@ -2112,27 +2099,53 @@ function user_user_operations() {
       'label' => t('Block the selected users'),
       'callback' => 'user_user_operations_block',
     ),
-    t('Add a role to the selected users') => array(
-      'label' => $add_roles,
-    ),
-    t('Remove a role from the selected users') => array(
-      'label' => $remove_roles,
-    ),
     'delete' => array(
       'label' => t('Delete the selected users'),
     ),
   );
 
+  if (user_access('administer access control')) {
+    $roles = user_roles(1);
+    unset($roles[DRUPAL_AUTHENTICATED_RID]);  // Can't edit authenticated role.
+
+    $add_roles = array();
+    foreach ($roles as $key => $value) {
+      $add_roles['add_role-'. $key] = $value;
+    }
+
+    $remove_roles = array();
+    foreach ($roles as $key => $value) {
+      $remove_roles['remove_role-'. $key] = $value;
+    }
+
+    $role_operations = array(
+      t('Add a role to the selected users') => array(
+        'label' => $add_roles,
+      ),
+      t('Remove a role from the selected users') => array(
+        'label' => $remove_roles,
+      ),
+    );
+
+    $operations += $role_operations;
+  }
+
   // If the form has been posted, we need to insert the proper data for role editing if necessary.
   if ($form_values) {
     $operation_rid = explode('-', $form_values['operation']);
     $operation = $operation_rid[0];
     $rid = $operation_rid[1];
     if ($operation == 'add_role' || $operation == 'remove_role') {
-      $operations[$form_values['operation']] = array(
-        'callback' => 'user_multiple_role_edit',
-        'callback arguments' => array($operation, $rid),
-      );
+      if (user_access('administer access control')) {
+        $operations[$form_values['operation']] = array(
+          'callback' => 'user_multiple_role_edit',
+          'callback arguments' => array($operation, $rid),
+        );
+      }
+      else {
+        watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
+        return;
+      }
     }
   }
 
-- 
cgit v1.2.3