Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

- Patch #41305 by chx: user edit form submit model rewrite.

4.7.x
Dries Buytaert 2005-12-19 10:02:33 +00:00
parent 8b0461940d
commit d21dda89b3
2 changed files with 48 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/user.module
View File

@ -1259,25 +1259,7 @@ function user_edit($category = 'account') {
$account = user_load(array('uid' => arg(1))); $account = user_load(array('uid' => arg(1)));
$edit = $_POST['op'] ? $_POST['edit'] : object2array($account); $edit = $_POST['op'] ? $_POST['edit'] : object2array($account);
if ($_POST['op'] == t('Submit')) { if (arg(2) == 'delete') {
user_module_invoke('validate', $edit, $account, $category);
if (!form_get_errors()) {
// Validate input to ensure that non-privileged users can't alter protected data.
if ((!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'init', 'session'))) ||
(!user_access('administer access control') && isset($edit['roles']))) {
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
}
else {
user_save($account, $edit, $category);
// Delete that user's menu cache.
cache_clear_all('menu:'. $account->uid, TRUE);
drupal_set_message(t('The changes have been saved.'));
drupal_goto("user/$account->uid");
}
}
}
else if (arg(2) == 'delete') {
if ($edit['confirm']) { if ($edit['confirm']) {
db_query('DELETE FROM {users} WHERE uid = %d', $account->uid); db_query('DELETE FROM {users} WHERE uid = %d', $account->uid);
db_query('DELETE FROM {sessions} WHERE uid = %d', $account->uid); db_query('DELETE FROM {sessions} WHERE uid = %d', $account->uid);
@ -1297,6 +1279,8 @@ function user_edit($category = 'account') {
} }
$form = _user_forms($edit, $account, $category); $form = _user_forms($edit, $account, $category);
$form['_category'] = array('#type' => 'value', '#value' => $category);
$form['_account'] = array('#type' => 'value', '#value' => $account);
$form['submit'] = array('#type' => 'submit', '#value' => t('Submit'), '#weight' => 30); $form['submit'] = array('#type' => 'submit', '#value' => t('Submit'), '#weight' => 30);
if (user_access('administer users')) { if (user_access('administer users')) {
$form['delete'] = array('#type' => 'submit', '#value' => t('Delete'), '#weight' => 31); $form['delete'] = array('#type' => 'submit', '#value' => t('Delete'), '#weight' => 31);
@ -1307,6 +1291,26 @@ function user_edit($category = 'account') {
return drupal_get_form('user_edit', $form); return drupal_get_form('user_edit', $form);
} }
function user_edit_validate($form_id, $form_values) {
user_module_invoke('validate', $form_values, $form_values['_account'], $form_values['_category']);
// Validate input to ensure that non-privileged users can't alter protected data.
if ((!user_access('administer users') && array_intersect(array_keys($form_values), array('uid', 'init', 'session'))) || (!user_access('administer access control') && isset($form_values['roles']))) {
$message = t('Detected malicious attempt to alter protected user fields.');
watchdog('security', $message, WATCHDOG_WARNING);
// set this to a value type field
form_set_error('category', $message);
}
}
function user_edit_submit($form_id, $form_values) {
$account = $form_values['_account'];
user_save($account, $form_values, $form_values['_category']);
// Delete that user's menu cache.
cache_clear_all('menu:'. $account->uid, TRUE);
drupal_set_message(t('The changes have been saved.'));
drupal_goto('user/'. $account->uid);
}
function user_view($uid = 0) { function user_view($uid = 0) {
global $user; global $user;
@ -1920,7 +1924,7 @@ function _user_forms(&$edit, $account, $category, $hook = 'form') {
$groups = array_merge($data, $groups); $groups = array_merge($data, $groups);
} }
} }
usort($groups, '_user_sort'); uasort($groups, '_user_sort');
return empty($groups) ? FALSE : $groups; return empty($groups) ? FALSE : $groups;
} }

44
modules/user/user.module
View File

@ -1259,25 +1259,7 @@ function user_edit($category = 'account') {
$account = user_load(array('uid' => arg(1))); $account = user_load(array('uid' => arg(1)));
$edit = $_POST['op'] ? $_POST['edit'] : object2array($account); $edit = $_POST['op'] ? $_POST['edit'] : object2array($account);
if ($_POST['op'] == t('Submit')) { if (arg(2) == 'delete') {
user_module_invoke('validate', $edit, $account, $category);
if (!form_get_errors()) {
// Validate input to ensure that non-privileged users can't alter protected data.
if ((!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'init', 'session'))) ||
(!user_access('administer access control') && isset($edit['roles']))) {
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
}
else {
user_save($account, $edit, $category);
// Delete that user's menu cache.
cache_clear_all('menu:'. $account->uid, TRUE);
drupal_set_message(t('The changes have been saved.'));
drupal_goto("user/$account->uid");
}
}
}
else if (arg(2) == 'delete') {
if ($edit['confirm']) { if ($edit['confirm']) {
db_query('DELETE FROM {users} WHERE uid = %d', $account->uid); db_query('DELETE FROM {users} WHERE uid = %d', $account->uid);
db_query('DELETE FROM {sessions} WHERE uid = %d', $account->uid); db_query('DELETE FROM {sessions} WHERE uid = %d', $account->uid);
@ -1297,6 +1279,8 @@ function user_edit($category = 'account') {
} }
$form = _user_forms($edit, $account, $category); $form = _user_forms($edit, $account, $category);
$form['_category'] = array('#type' => 'value', '#value' => $category);
$form['_account'] = array('#type' => 'value', '#value' => $account);
$form['submit'] = array('#type' => 'submit', '#value' => t('Submit'), '#weight' => 30); $form['submit'] = array('#type' => 'submit', '#value' => t('Submit'), '#weight' => 30);
if (user_access('administer users')) { if (user_access('administer users')) {
$form['delete'] = array('#type' => 'submit', '#value' => t('Delete'), '#weight' => 31); $form['delete'] = array('#type' => 'submit', '#value' => t('Delete'), '#weight' => 31);
@ -1307,6 +1291,26 @@ function user_edit($category = 'account') {
return drupal_get_form('user_edit', $form); return drupal_get_form('user_edit', $form);
} }
function user_edit_validate($form_id, $form_values) {
user_module_invoke('validate', $form_values, $form_values['_account'], $form_values['_category']);
// Validate input to ensure that non-privileged users can't alter protected data.
if ((!user_access('administer users') && array_intersect(array_keys($form_values), array('uid', 'init', 'session'))) || (!user_access('administer access control') && isset($form_values['roles']))) {
$message = t('Detected malicious attempt to alter protected user fields.');
watchdog('security', $message, WATCHDOG_WARNING);
// set this to a value type field
form_set_error('category', $message);
}
}
function user_edit_submit($form_id, $form_values) {
$account = $form_values['_account'];
user_save($account, $form_values, $form_values['_category']);
// Delete that user's menu cache.
cache_clear_all('menu:'. $account->uid, TRUE);
drupal_set_message(t('The changes have been saved.'));
drupal_goto('user/'. $account->uid);
}
function user_view($uid = 0) { function user_view($uid = 0) {
global $user; global $user;
@ -1920,7 +1924,7 @@ function _user_forms(&$edit, $account, $category, $hook = 'form') {
$groups = array_merge($data, $groups); $groups = array_merge($data, $groups);
} }
} }
usort($groups, '_user_sort'); uasort($groups, '_user_sort');
return empty($groups) ? FALSE : $groups; return empty($groups) ? FALSE : $groups;
} }