#192692 by jrbeeman and mfer: (security) protect profile category page menu items with the visibility settings already available
parent
c40af9443d
commit
b0676c8f27
|
@ -443,11 +443,29 @@ function profile_categories() {
|
|||
$result = db_query("SELECT DISTINCT(category) FROM {profile_fields}");
|
||||
$data = array();
|
||||
while ($category = db_fetch_object($result)) {
|
||||
$data[] = array('name' => $category->category, 'title' => $category->category, 'weight' => 3);
|
||||
$data[] = array(
|
||||
'name' => $category->category,
|
||||
'title' => $category->category,
|
||||
'weight' => 3,
|
||||
'access callback' => 'profile_category_access',
|
||||
'access arguments' => array($category->category)
|
||||
);
|
||||
}
|
||||
return $data;
|
||||
}
|
||||
|
||||
/*
|
||||
* Menu item access callback - check if a user has access to a profile category.
|
||||
*/
|
||||
function profile_category_access($category) {
|
||||
if (user_access('administer users')) {
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
return db_result(db_query("SELECT COUNT(*) FROM {profile_fields} WHERE category = '%s' AND visibility <> %d", $category, PROFILE_HIDDEN));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Process variables for profile-block.tpl.php.
|
||||
*
|
||||
|
|
|
@ -1072,6 +1072,8 @@ function user_menu() {
|
|||
'title arguments' => array($category['title']),
|
||||
'page callback' => 'user_edit',
|
||||
'page arguments' => array(1, 3),
|
||||
'access callback' => isset($category['access callback']) ? $category['access callback'] : TRUE,
|
||||
'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(),
|
||||
'type' => MENU_LOCAL_TASK,
|
||||
'weight' => $category['weight'],
|
||||
'file' => 'user.pages.inc',
|
||||
|
|
Loading…
Reference in New Issue