From e6f4f5ab146c44babd0a5e7865268de853b78463 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Tue, 6 Sep 2005 20:39:10 +0000 Subject: [PATCH] - Patch #27949 by Robert: the two theme functions in profile.module both violate good theming practice by running user control logic in the middle of them. Worse yet, this isn't immediately visible since it happens in yet another function. Thus themers overriding these functions to style profile pages inadvertently break access control, thus leading to the misperception that overriding theme functions is inherently dangerous. --- modules/profile.module | 34 +++++++++++++++++++++++++--------- modules/profile/profile.module | 34 +++++++++++++++++++++++++--------- 2 files changed, 50 insertions(+), 18 deletions(-) diff --git a/modules/profile.module b/modules/profile.module index db4c53d22c4..ffef5f58afa 100644 --- a/modules/profile.module +++ b/modules/profile.module @@ -69,6 +69,7 @@ function profile_block($op = 'list', $delta = 0, $edit = array()) { } if ($fields) { + _profile_update_user_fields($fields, $account); $output .= theme('profile_block', $account, $fields, true); } @@ -163,7 +164,9 @@ function profile_browse() { $output = '
'; while ($account = db_fetch_object($result)) { - $output .= theme('profile_listing', user_load(array('uid' => $account->uid)), $fields); + $account = user_load(array('uid' => $account->uid)); + _profile_update_user_fields($fields, $account); + $output .= theme('profile_listing', $account, $fields); } $output .= theme('pager', NULL, 20); @@ -194,7 +197,9 @@ function profile_browse() { $output = '
'; while ($account = db_fetch_object($result)) { - $output .= theme('profile_listing', user_load(array('uid' => $account->uid)), $fields); + $account = user_load(array('uid' => $account->uid)); + _profile_update_user_fields($fields, $account); + $output .= theme('profile_listing', $account, $fields); } $output .= '
'; $output .= theme('pager', NULL, 20); @@ -365,6 +370,17 @@ function profile_form_profile($edit, $user, $category) { } } +/** + * Helper function: update an array of user fields by calling profile_view_field + */ +function _profile_update_user_fields(&$fields, $account) { + foreach ($fields as $key => $field) { + if ($value = profile_view_field($account, $field)) { + $fields[$key]->value = $value; + } + } +} + /** * Helper function: output a date selector */ @@ -631,12 +647,12 @@ function profile_admin_overview() { return $output; } -function theme_profile_block($user, $fields = array()) { +function theme_profile_block($account, $fields = array()) { - $output .= theme('user_picture', $user); + $output .= theme('user_picture', $account); foreach ($fields as $field) { - if ($value = profile_view_field($user, $field)) { + if ($field->value) { $output .= "

$field->title:
$value

\n"; } } @@ -644,14 +660,14 @@ function theme_profile_block($user, $fields = array()) { return $output; } -function theme_profile_listing($user, $fields = array()) { +function theme_profile_listing($account, $fields = array()) { $output = "
\n"; - $output .= theme('user_picture', $user); - $output .= '
'. theme('username', $user) ."
\n"; + $output .= theme('user_picture', $account); + $output .= '
'. theme('username', $account) ."
\n"; foreach ($fields as $field) { - if ($value = profile_view_field($user, $field)) { + if ($field->value) { $output .= "
$value
\n"; } } diff --git a/modules/profile/profile.module b/modules/profile/profile.module index db4c53d22c4..ffef5f58afa 100644 --- a/modules/profile/profile.module +++ b/modules/profile/profile.module @@ -69,6 +69,7 @@ function profile_block($op = 'list', $delta = 0, $edit = array()) { } if ($fields) { + _profile_update_user_fields($fields, $account); $output .= theme('profile_block', $account, $fields, true); } @@ -163,7 +164,9 @@ function profile_browse() { $output = '
'; while ($account = db_fetch_object($result)) { - $output .= theme('profile_listing', user_load(array('uid' => $account->uid)), $fields); + $account = user_load(array('uid' => $account->uid)); + _profile_update_user_fields($fields, $account); + $output .= theme('profile_listing', $account, $fields); } $output .= theme('pager', NULL, 20); @@ -194,7 +197,9 @@ function profile_browse() { $output = '
'; while ($account = db_fetch_object($result)) { - $output .= theme('profile_listing', user_load(array('uid' => $account->uid)), $fields); + $account = user_load(array('uid' => $account->uid)); + _profile_update_user_fields($fields, $account); + $output .= theme('profile_listing', $account, $fields); } $output .= '
'; $output .= theme('pager', NULL, 20); @@ -365,6 +370,17 @@ function profile_form_profile($edit, $user, $category) { } } +/** + * Helper function: update an array of user fields by calling profile_view_field + */ +function _profile_update_user_fields(&$fields, $account) { + foreach ($fields as $key => $field) { + if ($value = profile_view_field($account, $field)) { + $fields[$key]->value = $value; + } + } +} + /** * Helper function: output a date selector */ @@ -631,12 +647,12 @@ function profile_admin_overview() { return $output; } -function theme_profile_block($user, $fields = array()) { +function theme_profile_block($account, $fields = array()) { - $output .= theme('user_picture', $user); + $output .= theme('user_picture', $account); foreach ($fields as $field) { - if ($value = profile_view_field($user, $field)) { + if ($field->value) { $output .= "

$field->title:
$value

\n"; } } @@ -644,14 +660,14 @@ function theme_profile_block($user, $fields = array()) { return $output; } -function theme_profile_listing($user, $fields = array()) { +function theme_profile_listing($account, $fields = array()) { $output = "
\n"; - $output .= theme('user_picture', $user); - $output .= '
'. theme('username', $user) ."
\n"; + $output .= theme('user_picture', $account); + $output .= '
'. theme('username', $account) ."
\n"; foreach ($fields as $field) { - if ($value = profile_view_field($user, $field)) { + if ($field->value) { $output .= "
$value
\n"; } }