summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2011-11-23 10:13:03 (GMT)
committer Gábor Hojtsy2011-11-23 10:13:03 (GMT)
commite5dbe7a9b6aa1634dfb98693df409dd9c8fa6566 (patch)
tree152ea9caa0cb1601070caf1811ddf33ef5d6701b
parentc8377ddf2df4cfbaa5ee871f421ecfc68f62164f (diff)
Issue #909274 by ergonlogic, franz: user/0/delete should not be accessible even for administrators
-rw-r--r--modules/user/user.module14
1 files changed, 12 insertions, 2 deletions
diff --git a/modules/user/user.module b/modules/user/user.module
index dbdc5cb..625a00c 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1090,8 +1090,8 @@ function user_menu() {
'title' => 'Delete',
'page callback' => 'drupal_get_form',
'page arguments' => array('user_confirm_delete', 1),
- 'access callback' => 'user_access',
- 'access arguments' => array('administer users'),
+ 'access callback' => 'user_delete_access',
+ 'access arguments' => array(1),
'type' => MENU_CALLBACK,
'file' => 'user.pages.inc',
);
@@ -2551,3 +2551,13 @@ function user_login_destination() {
$destination = drupal_get_destination();
return $destination == 'destination=user%2Flogin' ? 'destination=user' : $destination;
}
+
+/**
+ * Menu access callback; limit access to account deletion pages.
+ *
+ * Limit access to administrative users, and prevent the anonymous user account
+ * from being deleted.
+ */
+function user_delete_access($account) {
+ return user_access('administer users') && $account->uid > 0;
+}