From 23bccfd1c8731823205354768e5cf7a61e42a395 Mon Sep 17 00:00:00 2001
From: Steven Wittens <steven@10.no-reply.drupal.org>
Date: Mon, 11 Apr 2005 22:48:27 +0000
Subject: - #4166: Respect 'access userlist' permission for profile data.

---
 modules/user/user.module | 79 +++++++++++++++++++++++++++---------------------
 1 file changed, 45 insertions(+), 34 deletions(-)

(limited to 'modules/user/user.module')

diff --git a/modules/user/user.module b/modules/user/user.module
index 04db17f12..f4c1055ca 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -403,7 +403,7 @@ function user_fields() {
  * Implementation of hook_perm().
  */
 function user_perm() {
-  return array('administer users');
+  return array('administer users', 'access user profiles');
 }
 
 /**
@@ -424,16 +424,20 @@ function user_file_download($file) {
 function user_search($op = 'search', $keys = null) {
   switch ($op) {
     case 'name':
-      return t('users');
+      if (user_access('access user profiles')) {
+        return t('users');
+      }
     case 'search':
-      $find = array();
-      // Replace wildcards with MySQL/PostgreSQL wildcards.
-      $keys = preg_replace('!\*+!', '%', $keys);
-      $result = pager_query("SELECT * FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
-      while ($account = db_fetch_object($result)) {
-        $find[] = array('title' => $account->name, 'link' => url("user/$account->uid/view"));
+      if (user_access('access user profiles')) {
+        $find = array();
+        // Replace wildcards with MySQL/PostgreSQL wildcards.
+        $keys = preg_replace('!\*+!', '%', $keys);
+        $result = pager_query("SELECT * FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
+        while ($account = db_fetch_object($result)) {
+          $find[] = array('title' => $account->name, 'link' => url("user/$account->uid/view"));
+        }
+        return $find;
       }
-      return $find;
   }
 }
 
@@ -525,7 +529,7 @@ function user_block($op = 'list', $delta = 0, $edit = array()) {
         return $block;
 
       case 2:
-        if (user_access('access content')) {
+        if (user_access('access content') && user_access('access user profiles')) {
           $result = db_query_range('SELECT uid, name FROM {users} WHERE status != 0 ORDER BY uid DESC', 0, 5);
           while ($account = db_fetch_object($result)) {
             $items[] = format_name($account);
@@ -539,7 +543,7 @@ function user_block($op = 'list', $delta = 0, $edit = array()) {
         return $block;
 
       case 3:
-        if (user_access('access content')) {
+        if (user_access('access content') && user_access('access user profiles')) {
           // Count users with activity in the past defined period.
           $time_period = variable_get('user_block_seconds_online', 2700);
 
@@ -625,11 +629,15 @@ function user_menu($may_cache) {
 
   $items = array();
 
-  $access = user_access('administer users');
+  $admin_access = user_access('administer users');
+  // users should always be allowed to see their own user page
+  $view_access = (user_access('access user profiles') || ($user->uid == arg(1)));
 
   if ($may_cache) {
     $items[] = array('path' => 'user', 'title' => t('user account'),
       'callback' => 'user_page', 'access' => TRUE, 'type' => MENU_CALLBACK);
+
+    //registration and login pages. 
     $items[] = array('path' => 'user/login', 'title' => t('log in'),
       'type' => MENU_DEFAULT_LOCAL_TASK);
     $items[] = array('path' => 'user/register', 'title' => t('register'),
@@ -639,53 +647,53 @@ function user_menu($may_cache) {
     $items[] = array('path' => 'user/help', 'title' => t('help'),
       'callback' => 'user_help_page', 'type' => MENU_CALLBACK);
 
+    //admin pages
     $items[] = array('path' => 'admin/user', 'title' => t('users'),
-      'callback' => 'user_admin', 'access' => $access);
+      'callback' => 'user_admin', 'access' => $admin_access);
     $items[] = array('path' => 'admin/user/list', 'title' => t('list'),
       'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
     $items[] = array('path' => 'admin/user/create', 'title' => t('add user'),
-      'callback' => 'user_admin', 'access' => $access,
+      'callback' => 'user_admin', 'access' => $admin_access,
       'type' => MENU_LOCAL_TASK);
     $items[] = array('path' => 'admin/user/configure', 'title' => t('configure'),
-      'callback' => 'user_configure', 'access' => $access,
+      'callback' => 'user_configure', 'access' => $admin_access,
       'type' => MENU_LOCAL_TASK);
-
     $items[] = array('path' => 'admin/access', 'title' => t('access control'),
-      'callback' => 'user_admin_perm', 'access' => $access);
+      'callback' => 'user_admin_perm', 'access' => $admin_access);
     $items[] = array('path' => 'admin/access/permissions', 'title' => t('permissions'),
-      'callback' => 'user_admin_perm', 'access' => $access,
+      'callback' => 'user_admin_perm', 'access' => $admin_access,
       'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
     $items[] = array('path' => 'admin/access/roles', 'title' => t('roles'),
-      'callback' => 'user_admin_role', 'access' => $access,
+      'callback' => 'user_admin_role', 'access' => $admin_access,
       'type' => MENU_LOCAL_TASK);
     $items[] = array('path' => 'admin/access/roles/edit', 'title' => t('edit role'),
-      'callback' => 'user_admin_role', 'access' => $access,
+      'callback' => 'user_admin_role', 'access' => $admin_access,
       'type' => MENU_CALLBACK);
-
     $items[] = array('path' => 'admin/access/rules', 'title' => t('account rules'),
-      'callback' => 'user_admin_access', 'access' => $access,
+      'callback' => 'user_admin_access', 'access' => $admin_access,
       'type' => MENU_LOCAL_TASK, 'weight' => 10);
     $items[] = array('path' => 'admin/access/rules/list', 'title' => t('list'),
-      'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
+      'access' => $admin_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
     $items[] = array('path' => 'admin/access/rules/add', 'title' => t('add rule'),
-      'callback' => 'user_admin_access_add', 'access' => $access,
+      'callback' => 'user_admin_access_add', 'access' => $admin_access,
       'type' => MENU_LOCAL_TASK);
     $items[] = array('path' => 'admin/access/rules/check', 'title' => t('check rules'),
-      'callback' => 'user_admin_access_check', 'access' => $access,
+      'callback' => 'user_admin_access_check', 'access' => $admin_access,
       'type' => MENU_LOCAL_TASK);
     $items[] = array('path' => 'admin/access/rules/edit', 'title' => t('edit rule'),
-      'callback' => 'user_admin_access_edit', 'access' => $access,
+      'callback' => 'user_admin_access_edit', 'access' => $admin_access,
       'type' => MENU_CALLBACK);
     $items[] = array('path' => 'admin/access/rules/delete', 'title' => t('delete rule'),
-      'callback' => 'user_admin_access_delete', 'access' => $access,
+      'callback' => 'user_admin_access_delete', 'access' => $admin_access,
       'type' => MENU_CALLBACK);
 
     if (module_exist('search')) {
       $items[] = array('path' => 'admin/user/search', 'title' => t('search'),
-        'callback' => 'user_admin', 'access' => $access,
+        'callback' => 'user_admin', 'access' => $admin_access,
         'type' => MENU_LOCAL_TASK);
     }
 
+    //Your personal page
     if ($user->uid) {
       $items[] = array('path' => 'user/'. $user->uid, 'title' => t('my account'),
         'callback' => 'user_page', 'access' => TRUE,
@@ -700,22 +708,25 @@ function user_menu($may_cache) {
   else {
     if (arg(0) == 'user' && is_numeric(arg(1))) {
       $items[] = array('path' => 'user/'. arg(1), 'title' => t('user'),
-        'type' => MENU_CALLBACK, 'callback' => 'user_page', 'access' => TRUE);
+        'type' => MENU_CALLBACK, 'callback' => 'user_page', 'access' => $view_access);
       $items[] = array('path' => 'user/'. arg(1) .'/view', 'title' => t('view'),
-        'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
+        'access' => $view_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
       $items[] = array('path' => 'user/'. arg(1) .'/edit', 'title' => t('edit'),
-        'callback' => 'user_edit', 'access' => $access || $user->uid == arg(1),
+        'callback' => 'user_edit', 'access' => $admin_access || $user->uid == arg(1),
         'type' => MENU_LOCAL_TASK);
       $items[] = array('path' => 'user/'. arg(1) .'/delete', 'title' => t('delete'),
-        'callback' => 'user_edit', 'access' => $access,
+        'callback' => 'user_edit', 'access' => $admin_access,
         'type' => MENU_CALLBACK);
 
       if (arg(2) == 'edit') {
         if (($categories = _user_categories()) && (count($categories) > 1)) {
           foreach ($categories as $key => $category) {
-            $items[] = array('path' => 'user/'. arg(1) .'/edit/'. $category['name'], 'title' => $category['title'],
+            $items[] = array(
+              'path' => 'user/'. arg(1) .'/edit/'. $category['name'],
+              'title' => $category['title'],
               'type' => $category['name'] == 'account' ? MENU_DEFAULT_LOCAL_TASK : MENU_LOCAL_TASK,
-              'weight' => $category['weight']);
+              'weight' => $category['weight'],
+              'access' => $admin_access);
           }
         }
       }
-- 
cgit v1.2.3