Jump to Navigation

Drupal profile_permissions

Sometimes you encounter a bug which makes you... not so happy.

On the Unquendor site, which is still Drupal 6, I use profile fields extensively. These are basically attributes of users. Not only names and addresses, but also things like visits to events and even a member's payment status is kept in this way. Of course, not everyone is allowed to see all fields, let alone edit them. The profile permissions module should enforce the proper policies.

I am quite sure this used to work properly. But, as I was changing the access policies, I actually tested yesterday what would happen if I logged in a "normal" user without special access privileges. Well, nothing bad going on there - except that such a user is able to change all its own profile fields. Including things like payment statuses. Oops.

The bug was not that difficult to find, fortunately: an array was passed to a function, which changed it. Regrettably, the array was passed by value instead of by reference, so all changes were lost once the function returned.

The big question here is: why was this working before? This may have to do with the way PHP handles and used to handle references. References are actually aliases, and all kind of unexpected things can happen if you are not very careful, especially with array elements. Drupal uses all kinds of tricks in function drupal_alter, and perhaps something has changed there?

Anyway, this has been reported as issue 2330517



Blog_article | by Dr. Radut