- Patch #89323 by hunmonk: control access to mass operations.
Dries Buytaert
parent
d692d438a3
commit
1238ccd6d0
|
|
@ -2090,19 +2090,6 @@ function user_admin_account_validate($form_id, $form_values) {
|
|||
function user_user_operations() {
|
||||
global $form_values;
|
||||
|
||||
$roles = user_roles(1);
|
||||
unset($roles[DRUPAL_AUTHENTICATED_RID]); // Can't edit authenticated role.
|
||||
|
||||
$add_roles = array();
|
||||
foreach ($roles as $key => $value) {
|
||||
$add_roles['add_role-'. $key] = $value;
|
||||
}
|
||||
|
||||
$remove_roles = array();
|
||||
foreach ($roles as $key => $value) {
|
||||
$remove_roles['remove_role-'. $key] = $value;
|
||||
}
|
||||
|
||||
$operations = array(
|
||||
'unblock' => array(
|
||||
'label' => t('Unblock the selected users'),
|
||||
|
|
@ -2112,27 +2099,53 @@ function user_user_operations() {
|
|||
'label' => t('Block the selected users'),
|
||||
'callback' => 'user_user_operations_block',
|
||||
),
|
||||
t('Add a role to the selected users') => array(
|
||||
'label' => $add_roles,
|
||||
),
|
||||
t('Remove a role from the selected users') => array(
|
||||
'label' => $remove_roles,
|
||||
),
|
||||
'delete' => array(
|
||||
'label' => t('Delete the selected users'),
|
||||
),
|
||||
);
|
||||
|
||||
if (user_access('administer access control')) {
|
||||
$roles = user_roles(1);
|
||||
unset($roles[DRUPAL_AUTHENTICATED_RID]); // Can't edit authenticated role.
|
||||
|
||||
$add_roles = array();
|
||||
foreach ($roles as $key => $value) {
|
||||
$add_roles['add_role-'. $key] = $value;
|
||||
}
|
||||
|
||||
$remove_roles = array();
|
||||
foreach ($roles as $key => $value) {
|
||||
$remove_roles['remove_role-'. $key] = $value;
|
||||
}
|
||||
|
||||
$role_operations = array(
|
||||
t('Add a role to the selected users') => array(
|
||||
'label' => $add_roles,
|
||||
),
|
||||
t('Remove a role from the selected users') => array(
|
||||
'label' => $remove_roles,
|
||||
),
|
||||
);
|
||||
|
||||
$operations += $role_operations;
|
||||
}
|
||||
|
||||
// If the form has been posted, we need to insert the proper data for role editing if necessary.
|
||||
if ($form_values) {
|
||||
$operation_rid = explode('-', $form_values['operation']);
|
||||
$operation = $operation_rid[0];
|
||||
$rid = $operation_rid[1];
|
||||
if ($operation == 'add_role' || $operation == 'remove_role') {
|
||||
$operations[$form_values['operation']] = array(
|
||||
'callback' => 'user_multiple_role_edit',
|
||||
'callback arguments' => array($operation, $rid),
|
||||
);
|
||||
if (user_access('administer access control')) {
|
||||
$operations[$form_values['operation']] = array(
|
||||
'callback' => 'user_multiple_role_edit',
|
||||
'callback arguments' => array($operation, $rid),
|
||||
);
|
||||
}
|
||||
else {
|
||||
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue