From ad74b700c49b3c6ad46a2c1a3c6fed2528fea6cf Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Mon, 14 Nov 2005 21:49:47 +0000 Subject: - Patch #32669 by DriesK: split blocking users from 'adminsiter access'. --- modules/user/user.module | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'modules/user/user.module') diff --git a/modules/user/user.module b/modules/user/user.module index 72564c5e8..af603cd75 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -1154,8 +1154,10 @@ function user_edit_form($uid, $edit) { $form['account']['name'] = array('#type' => 'textfield', '#title' => t('Username'), '#default_value' => $edit['name'], '#maxlength' => 55, '#description' => t('Your full name or your preferred username: only letters, numbers and spaces are allowed.'), '#required' => TRUE); $form['account']['mail'] = array('#type' => 'textfield', '#title' => t('E-mail address'), '#default_value' => $edit['mail'], '#maxlength' => 55, '#description' => t('Insert a valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.'), '#required' => TRUE); $form['account']['pass'] = array('#type' => 'item', '#title' => t('Password'), '#value' => ' ', '#required' => true); - if (user_access('administer access control')) { + if (user_access('administer users')) { $form['account']['status'] = array('#type' => 'radios', '#title' => t('Status'), '#default_value' => $edit['status'], '#options' => array(t('Blocked'), t('Active'))); + } + if (user_access('administer access control')) { $form['account']['roles'] = array('#type' => 'checkboxes', '#title' => t('Roles'), '#default_value' => array_keys($edit['roles']), '#options' => user_roles(1), '#description' => t('Select at least one role. The user receives the combined permissions of all of the selected roles.'), '#required' => TRUE); } @@ -1244,7 +1246,8 @@ function user_edit($category = 'account') { if (!form_get_errors()) { // Validate input to ensure that non-privileged users can't alter protected data. - if (!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'roles', 'init', 'session'))) { + if ((!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'init', 'session'))) || + (!user_access('administer access control') && isset($edit['roles']))) { watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING); } else { -- cgit v1.2.3