summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2008-04-09 21:11:51 +0000
committerGábor Hojtsy2008-04-09 21:11:51 +0000
commitfee422170acc602c2049af4dc2fd00f1da3c5713 (patch)
tree81b4306fec8e6a3f0cf6cdb27a8a1320dfa830e7
parentc7971e7f25b3f19ce80d60f09c79a6171e925a47 (diff)
Drupal 6.26.2
-rw-r--r--CHANGELOG.txt4
-rw-r--r--includes/common.inc2
-rw-r--r--includes/menu.inc7
-rw-r--r--modules/aggregator/aggregator.module1
-rw-r--r--modules/block/block.module4
-rw-r--r--modules/blog/blog.module26
-rw-r--r--modules/comment/comment.module1
-rw-r--r--modules/contact/contact.module4
-rw-r--r--modules/dblog/dblog.module5
-rw-r--r--modules/filter/filter.module4
-rw-r--r--modules/forum/forum.module6
-rw-r--r--modules/help/help.module1
-rw-r--r--modules/locale/locale.module9
-rw-r--r--modules/menu/menu.module8
-rw-r--r--modules/node/node.module4
-rw-r--r--modules/openid/openid.module2
-rw-r--r--modules/path/path.module2
-rw-r--r--modules/profile/profile.module12
-rw-r--r--modules/search/search.module1
-rw-r--r--modules/syslog/syslog.module1
-rw-r--r--modules/system/system.module19
-rw-r--r--modules/taxonomy/taxonomy.module4
-rw-r--r--modules/tracker/tracker.module24
-rw-r--r--modules/trigger/trigger.module4
-rw-r--r--modules/user/user.module21
25 files changed, 153 insertions, 23 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index e0972ca..6e67080 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,9 @@
// $Id$
-Drupal 6.2-dev, xxxx-xx-xx (development version)
+Drupal 6.2, 2008-04-09
----------------------
+- fixed a variety of small bugs
+- fixed a security issue (Access bypasses), see SA-2008-026
Drupal 6.1, 2008-02-27
----------------------
diff --git a/includes/common.inc b/includes/common.inc
index 90b0329..ccb8520 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -577,7 +577,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
- if ($errno & (E_ALL)) {
+ if ($errno & (E_ALL ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
diff --git a/includes/menu.inc b/includes/menu.inc
index 17657bf..5d2268c 100644
--- a/includes/menu.inc
+++ b/includes/menu.inc
@@ -2275,9 +2275,10 @@ function _menu_router_build($callbacks) {
if (!isset($item['tab_root']) && !$parent['_tab']) {
$item['tab_root'] = $parent_path;
}
- // If a callback is not found, we try to find the first parent that
- // has a callback.
- if (!isset($item['access callback']) && isset($parent['access callback'])) {
+ // If an access callback is not found for a default local task we use
+ // the callback from the parent, since we expect them to be identical.
+ // In all other cases, the access parameters must be specified.
+ if (($item['type'] == MENU_DEFAULT_LOCAL_TASK) && !isset($item['access callback']) && isset($parent['access callback'])) {
$item['access callback'] = $parent['access callback'];
if (!isset($item['access arguments']) && isset($parent['access arguments'])) {
$item['access arguments'] = $parent['access arguments'];
diff --git a/modules/aggregator/aggregator.module b/modules/aggregator/aggregator.module
index 0475edb..f6c272c 100644
--- a/modules/aggregator/aggregator.module
+++ b/modules/aggregator/aggregator.module
@@ -201,6 +201,7 @@ function aggregator_menu() {
$items['aggregator/sources/%aggregator_feed'] = array(
'page callback' => 'aggregator_page_source',
'page arguments' => array(2),
+ 'access arguments' => array('access news feeds'),
'type' => MENU_CALLBACK,
'file' => 'aggregator.pages.inc',
);
diff --git a/modules/block/block.module b/modules/block/block.module
index 26579d8..a123b4b 100644
--- a/modules/block/block.module
+++ b/modules/block/block.module
@@ -132,6 +132,7 @@ function block_menu() {
$items['admin/build/block/list/js'] = array(
'title' => 'JavaScript List Form',
'page callback' => 'block_admin_display_js',
+ 'access arguments' => array('administer blocks'),
'type' => MENU_CALLBACK,
'file' => 'block.admin.inc',
);
@@ -139,6 +140,7 @@ function block_menu() {
'title' => 'Configure block',
'page callback' => 'drupal_get_form',
'page arguments' => array('block_admin_configure'),
+ 'access arguments' => array('administer blocks'),
'type' => MENU_CALLBACK,
'file' => 'block.admin.inc',
);
@@ -146,6 +148,7 @@ function block_menu() {
'title' => 'Delete block',
'page callback' => 'drupal_get_form',
'page arguments' => array('block_box_delete'),
+ 'access arguments' => array('administer blocks'),
'type' => MENU_CALLBACK,
'file' => 'block.admin.inc',
);
@@ -153,6 +156,7 @@ function block_menu() {
'title' => 'Add block',
'page callback' => 'drupal_get_form',
'page arguments' => array('block_add_block_form'),
+ 'access arguments' => array('administer blocks'),
'type' => MENU_LOCAL_TASK,
'file' => 'block.admin.inc',
);
diff --git a/modules/blog/blog.module b/modules/blog/blog.module
index 4efb8c2..789baa5 100644
--- a/modules/blog/blog.module
+++ b/modules/blog/blog.module
@@ -140,19 +140,20 @@ function blog_menu() {
'type' => MENU_SUGGESTED_ITEM,
'file' => 'blog.pages.inc',
);
- $items['blog/%user_current'] = array(
+ $items['blog/%user_uid_optional'] = array(
'title' => 'My blog',
'page callback' => 'blog_page_user',
'page arguments' => array(1),
- 'access callback' => 'user_access',
- 'access arguments' => array('create blog entries', 1),
+ 'access callback' => 'blog_page_user_access',
+ 'access arguments' => array(1),
'file' => 'blog.pages.inc',
);
$items['blog/%user/feed'] = array(
'title' => 'Blogs',
'page callback' => 'blog_feed_user',
'page arguments' => array(1),
- 'access arguments' => array('access content'),
+ 'access callback' => 'blog_page_user_access',
+ 'access arguments' => array(1),
'type' => MENU_CALLBACK,
'file' => 'blog.pages.inc',
);
@@ -168,6 +169,23 @@ function blog_menu() {
}
/**
+ * Access callback for user blog pages.
+ */
+function blog_page_user_access($account) {
+ // The visitor must be able to access the site's content.
+ // For a blog to 'exist' the user must either be able to
+ // create new blog entries, or it must have existing posts.
+ return $account->uid && user_access('access content') && (user_access('create blog entries', $account) || _blog_post_exists($account));
+}
+
+/**
+ * Helper function to determine if a user has blog posts already.
+ */
+function _blog_post_exists($account) {
+ return (bool)db_result(db_query_range(db_rewrite_sql("SELECT 1 FROM {node} n WHERE n.type = 'blog' AND n.uid = %d AND n.status = 1"), $account->uid, 0, 1));
+}
+
+/**
* Implementation of hook_block().
*
* Displays the most recent 10 blog titles.
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 0176232..594f9fb 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -211,6 +211,7 @@ function comment_menu() {
$items['admin/content/comment/approval'] = array(
'title' => 'Approval queue',
'page arguments' => array('approval'),
+ 'access arguments' => array('administer comments'),
'type' => MENU_LOCAL_TASK,
'file' => 'comment.admin.inc',
);
diff --git a/modules/contact/contact.module b/modules/contact/contact.module
index 5a51385..4557029 100644
--- a/modules/contact/contact.module
+++ b/modules/contact/contact.module
@@ -59,6 +59,7 @@ function contact_menu() {
'title' => 'Add category',
'page callback' => 'drupal_get_form',
'page arguments' => array('contact_admin_edit', 3),
+ 'access arguments' => array('administer site-wide contact form'),
'type' => MENU_LOCAL_TASK,
'weight' => 1,
'file' => 'contact.admin.inc',
@@ -67,6 +68,7 @@ function contact_menu() {
'title' => 'Edit contact category',
'page callback' => 'drupal_get_form',
'page arguments' => array('contact_admin_edit', 3, 4),
+ 'access arguments' => array('administer site-wide contact form'),
'type' => MENU_CALLBACK,
'file' => 'contact.admin.inc',
);
@@ -74,6 +76,7 @@ function contact_menu() {
'title' => 'Delete contact',
'page callback' => 'drupal_get_form',
'page arguments' => array('contact_admin_delete', 4),
+ 'access arguments' => array('administer site-wide contact form'),
'type' => MENU_CALLBACK,
'file' => 'contact.admin.inc',
);
@@ -81,6 +84,7 @@ function contact_menu() {
'title' => 'Settings',
'page callback' => 'drupal_get_form',
'page arguments' => array('contact_admin_settings'),
+ 'access arguments' => array('administer site-wide contact form'),
'type' => MENU_LOCAL_TASK,
'weight' => 2,
'file' => 'contact.admin.inc',
diff --git a/modules/dblog/dblog.module b/modules/dblog/dblog.module
index 04529d6..dfb28b2 100644
--- a/modules/dblog/dblog.module
+++ b/modules/dblog/dblog.module
@@ -47,6 +47,7 @@ function dblog_menu() {
'description' => 'Settings for logging to the Drupal database logs. This is the most common method for small to medium sites on shared hosting. The logs are viewable from the admin pages.',
'page callback' => 'drupal_get_form',
'page arguments' => array('dblog_admin_settings'),
+ 'access arguments' => array('administer site configuration'),
'file' => 'dblog.admin.inc',
);
@@ -54,6 +55,7 @@ function dblog_menu() {
'title' => 'Recent log entries',
'description' => 'View events that have recently been logged.',
'page callback' => 'dblog_overview',
+ 'access arguments' => array('access site reports'),
'weight' => -1,
'file' => 'dblog.admin.inc',
);
@@ -62,6 +64,7 @@ function dblog_menu() {
'description' => "View 'page not found' errors (404s).",
'page callback' => 'dblog_top',
'page arguments' => array('page not found'),
+ 'access arguments' => array('access site reports'),
'file' => 'dblog.admin.inc',
);
$items['admin/reports/access-denied'] = array(
@@ -69,12 +72,14 @@ function dblog_menu() {
'description' => "View 'access denied' errors (403s).",
'page callback' => 'dblog_top',
'page arguments' => array('access denied'),
+ 'access arguments' => array('access site reports'),
'file' => 'dblog.admin.inc',
);
$items['admin/reports/event/%'] = array(
'title' => 'Details',
'page callback' => 'dblog_event',
'page arguments' => array(3),
+ 'access arguments' => array('access site reports'),
'type' => MENU_CALLBACK,
'file' => 'dblog.admin.inc',
);
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 18f3e39..f955c4d 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -82,6 +82,7 @@ function filter_menu() {
$items['admin/settings/filters/add'] = array(
'title' => 'Add input format',
'page callback' => 'filter_admin_format_page',
+ 'access arguments' => array('administer filters'),
'type' => MENU_LOCAL_TASK,
'weight' => 1,
'file' => 'filter.admin.inc',
@@ -90,6 +91,7 @@ function filter_menu() {
'title' => 'Delete input format',
'page callback' => 'drupal_get_form',
'page arguments' => array('filter_admin_delete'),
+ 'access arguments' => array('administer filters'),
'type' => MENU_CALLBACK,
'file' => 'filter.admin.inc',
);
@@ -120,6 +122,7 @@ function filter_menu() {
'title' => 'Configure',
'page callback' => 'filter_admin_configure_page',
'page arguments' => array(3),
+ 'access arguments' => array('administer filters'),
'type' => MENU_LOCAL_TASK,
'weight' => 1,
'file' => 'filter.admin.inc',
@@ -128,6 +131,7 @@ function filter_menu() {
'title' => 'Rearrange',
'page callback' => 'filter_admin_order_page',
'page arguments' => array(3),
+ 'access arguments' => array('administer filters'),
'type' => MENU_LOCAL_TASK,
'weight' => 2,
'file' => 'filter.admin.inc',
diff --git a/modules/forum/forum.module b/modules/forum/forum.module
index 4097240..b8f7353 100644
--- a/modules/forum/forum.module
+++ b/modules/forum/forum.module
@@ -106,6 +106,7 @@ function forum_menu() {
'title' => 'Add container',
'page callback' => 'forum_form_main',
'page arguments' => array('container'),
+ 'access arguments' => array('administer forums'),
'type' => MENU_LOCAL_TASK,
'parent' => 'admin/content/forum',
'file' => 'forum.admin.inc',
@@ -114,6 +115,7 @@ function forum_menu() {
'title' => 'Add forum',
'page callback' => 'forum_form_main',
'page arguments' => array('forum'),
+ 'access arguments' => array('administer forums'),
'type' => MENU_LOCAL_TASK,
'parent' => 'admin/content/forum',
'file' => 'forum.admin.inc',
@@ -122,6 +124,7 @@ function forum_menu() {
'title' => 'Settings',
'page callback' => 'drupal_get_form',
'page arguments' => array('forum_admin_settings'),
+ 'access arguments' => array('administer forums'),
'weight' => 5,
'type' => MENU_LOCAL_TASK,
'parent' => 'admin/content/forum',
@@ -129,6 +132,7 @@ function forum_menu() {
);
$items['admin/content/forum/edit/%forum_term'] = array(
'page callback' => 'forum_form_main',
+ 'access arguments' => array('administer forums'),
'type' => MENU_CALLBACK,
'file' => 'forum.admin.inc',
);
@@ -136,6 +140,7 @@ function forum_menu() {
'title' => 'Edit container',
'page callback' => 'forum_form_main',
'page arguments' => array('container', 5),
+ 'access arguments' => array('administer forums'),
'type' => MENU_CALLBACK,
'file' => 'forum.admin.inc',
);
@@ -143,6 +148,7 @@ function forum_menu() {
'title' => 'Edit forum',
'page callback' => 'forum_form_main',
'page arguments' => array('forum', 5),
+ 'access arguments' => array('administer forums'),
'type' => MENU_CALLBACK,
'file' => 'forum.admin.inc',
);
diff --git a/modules/help/help.module b/modules/help/help.module
index 2daff64..4cdcfeb 100644
--- a/modules/help/help.module
+++ b/modules/help/help.module
@@ -23,6 +23,7 @@ function help_menu() {
'title' => $module,
'page callback' => 'help_page',
'page arguments' => array(2),
+ 'access arguments' => array('access administration pages'),
'type' => MENU_CALLBACK,
'file' => 'help.admin.inc',
);
diff --git a/modules/locale/locale.module b/modules/locale/locale.module
index 0404467..02ee9f7 100644
--- a/modules/locale/locale.module
+++ b/modules/locale/locale.module
@@ -99,6 +99,7 @@ function locale_menu() {
'title' => 'Add language',
'page callback' => 'locale_inc_callback',
'page arguments' => array('locale_languages_add_screen'), // two forms concatenated
+ 'access arguments' => array('administer languages'),
'weight' => 5,
'type' => MENU_LOCAL_TASK,
);
@@ -106,6 +107,7 @@ function locale_menu() {
'title' => 'Configure',
'page callback' => 'locale_inc_callback',
'page arguments' => array('drupal_get_form', 'locale_languages_configure_form'),
+ 'access arguments' => array('administer languages'),
'weight' => 10,
'type' => MENU_LOCAL_TASK,
);
@@ -113,12 +115,14 @@ function locale_menu() {
'title' => 'Edit language',
'page callback' => 'locale_inc_callback',
'page arguments' => array('drupal_get_form', 'locale_languages_edit_form', 4),
+ 'access arguments' => array('administer languages'),
'type' => MENU_CALLBACK,
);
$items['admin/settings/language/delete/%'] = array(
'title' => 'Confirm',
'page callback' => 'locale_inc_callback',
'page arguments' => array('drupal_get_form', 'locale_languages_delete_form', 4),
+ 'access arguments' => array('administer languages'),
'type' => MENU_CALLBACK,
);
@@ -141,11 +145,13 @@ function locale_menu() {
'type' => MENU_LOCAL_TASK,
'page callback' => 'locale_inc_callback',
'page arguments' => array('locale_translate_seek_screen'), // search results and form concatenated
+ 'access arguments' => array('translate interface'),
);
$items['admin/build/translate/import'] = array(
'title' => 'Import',
'page callback' => 'locale_inc_callback',
'page arguments' => array('drupal_get_form', 'locale_translate_import_form'),
+ 'access arguments' => array('translate interface'),
'weight' => 20,
'type' => MENU_LOCAL_TASK,
);
@@ -153,6 +159,7 @@ function locale_menu() {
'title' => 'Export',
'page callback' => 'locale_inc_callback',
'page arguments' => array('locale_translate_export_screen'), // possibly multiple forms concatenated
+ 'access arguments' => array('translate interface'),
'weight' => 30,
'type' => MENU_LOCAL_TASK,
);
@@ -160,12 +167,14 @@ function locale_menu() {
'title' => 'Edit string',
'page callback' => 'locale_inc_callback',
'page arguments' => array('drupal_get_form', 'locale_translate_edit_form', 4),
+ 'access arguments' => array('translate interface'),
'type' => MENU_CALLBACK,
);
$items['admin/build/translate/delete/%'] = array(
'title' => 'Delete string',
'page callback' => 'locale_inc_callback',
'page arguments' => array('locale_translate_delete', 4), // directly deletes, no confirmation
+ 'access arguments' => array('translate interface'),
'type' => MENU_CALLBACK,
);
diff --git a/modules/menu/menu.module b/modules/menu/menu.module
index 03fca87..ba0a1fb 100644
--- a/modules/menu/menu.module
+++ b/modules/menu/menu.module
@@ -63,6 +63,7 @@ function menu_menu() {
'title' => 'Add menu',
'page callback' => 'drupal_get_form',
'page arguments' => array('menu_edit_menu', 'add'),
+ 'access arguments' => array('administer menu'),
'type' => MENU_LOCAL_TASK,
'file' => 'menu.admin.inc',
);
@@ -70,6 +71,7 @@ function menu_menu() {
'title' => 'Settings',
'page callback' => 'drupal_get_form',
'page arguments' => array('menu_configure'),
+ 'access arguments' => array('administer menu'),
'type' => MENU_LOCAL_TASK,
'weight' => 5,
'file' => 'menu.admin.inc',
@@ -94,6 +96,7 @@ function menu_menu() {
'title' => 'Add item',
'page callback' => 'drupal_get_form',
'page arguments' => array('menu_edit_item', 'add', NULL, 3),
+ 'access arguments' => array('administer menu'),
'type' => MENU_LOCAL_TASK,
'file' => 'menu.admin.inc',
);
@@ -101,6 +104,7 @@ function menu_menu() {
'title' => 'Edit menu',
'page callback' => 'drupal_get_form',
'page arguments' => array('menu_edit_menu', 'edit', 3),
+ 'access arguments' => array('administer menu'),
'type' => MENU_LOCAL_TASK,
'file' => 'menu.admin.inc',
);
@@ -108,6 +112,7 @@ function menu_menu() {
'title' => 'Delete menu',
'page callback' => 'menu_delete_menu_page',
'page arguments' => array(3),
+ 'access arguments' => array('administer menu'),
'type' => MENU_CALLBACK,
'file' => 'menu.admin.inc',
);
@@ -115,6 +120,7 @@ function menu_menu() {
'title' => 'Edit menu item',
'page callback' => 'drupal_get_form',
'page arguments' => array('menu_edit_item', 'edit', 4, NULL),
+ 'access arguments' => array('administer menu'),
'type' => MENU_CALLBACK,
'file' => 'menu.admin.inc',
);
@@ -122,6 +128,7 @@ function menu_menu() {
'title' => 'Reset menu item',
'page callback' => 'drupal_get_form',
'page arguments' => array('menu_reset_item_confirm', 4),
+ 'access arguments' => array('administer menu'),
'type' => MENU_CALLBACK,
'file' => 'menu.admin.inc',
);
@@ -129,6 +136,7 @@ function menu_menu() {
'title' => 'Delete menu item',
'page callback' => 'menu_item_delete_page',
'page arguments' => array(4),
+ 'access arguments' => array('administer menu'),
'type' => MENU_CALLBACK,
'file' => 'menu.admin.inc',
);
diff --git a/modules/node/node.module b/modules/node/node.module
index 73dc3db..b7e1ed7 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -1447,6 +1447,7 @@ function node_menu() {
'title' => 'Add content type',
'page callback' => 'drupal_get_form',
'page arguments' => array('node_type_form'),
+ 'access arguments' => array('administer content types'),
'file' => 'content_types.inc',
'type' => MENU_LOCAL_TASK,
);
@@ -1496,6 +1497,7 @@ function node_menu() {
$items['admin/content/node-type/'. $type_url_str .'/delete'] = array(
'title' => 'Delete',
'page arguments' => array('node_type_delete_confirm', $type),
+ 'access arguments' => array('administer content types'),
'file' => 'content_types.inc',
'type' => MENU_CALLBACK,
);
@@ -1546,6 +1548,8 @@ function node_menu() {
'load arguments' => array(3),
'page callback' => 'node_show',
'page arguments' => array(1, NULL, TRUE),
+ 'access callback' => '_node_revision_access',
+ 'access arguments' => array(1),
'type' => MENU_CALLBACK,
);
$items['node/%node/revisions/%/revert'] = array(
diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index d77ee73..0aec370 100644
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -30,6 +30,8 @@ function openid_menu() {
'title' => 'Delete OpenID',
'page callback' => 'openid_user_delete',
'page arguments' => array(1),
+ 'access callback' => 'user_edit_access',
+ 'access arguments' => array(1),
'type' => MENU_CALLBACK,
'file' => 'openid.pages.inc',
);
diff --git a/modules/path/path.module b/modules/path/path.module
index 87bd6cd..6f622f7 100644
--- a/modules/path/path.module
+++ b/modules/path/path.module
@@ -46,6 +46,7 @@ function path_menu() {
$items['admin/build/path/edit'] = array(
'title' => 'Edit alias',
'page callback' => 'path_admin_edit',
+ 'access arguments' => array('administer url aliases'),
'type' => MENU_CALLBACK,
'file' => 'path.admin.inc',
);
@@ -53,6 +54,7 @@ function path_menu() {
'title' => 'Delete alias',
'page callback' => 'drupal_get_form',
'page arguments' => array('path_admin_delete_confirm'),
+ 'access arguments' => array('administer url aliases'),
'type' => MENU_CALLBACK,
'file' => 'path.admin.inc',
);
diff --git a/modules/profile/profile.module b/modules/profile/profile.module
index c75c113..eb0de4c 100644
--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -95,12 +95,14 @@ function profile_menu() {
'title' => 'Add field',
'page callback' => 'drupal_get_form',
'page arguments' => array('profile_field_form'),
+ 'access arguments' => array('administer users'),
'type' => MENU_CALLBACK,
'file' => 'profile.admin.inc',
);
$items['admin/user/profile/autocomplete'] = array(
'title' => 'Profile category autocomplete',
'page callback' => 'profile_admin_settings_autocomplete',
+ 'access arguments' => array('administer users'),
'type' => MENU_CALLBACK,
'file' => 'profile.admin.inc',
);
@@ -108,6 +110,7 @@ function profile_menu() {
'title' => 'Edit field',
'page callback' => 'drupal_get_form',
'page arguments' => array('profile_field_form'),
+ 'access arguments' => array('administer users'),
'type' => MENU_CALLBACK,
'file' => 'profile.admin.inc',
);
@@ -115,6 +118,7 @@ function profile_menu() {
'title' => 'Delete field',
'page callback' => 'drupal_get_form',
'page arguments' => array('profile_field_delete'),
+ 'access arguments' => array('administer users'),
'type' => MENU_CALLBACK,
'file' => 'profile.admin.inc',
);
@@ -453,7 +457,7 @@ function profile_categories() {
'title' => $category->category,
'weight' => 3,
'access callback' => 'profile_category_access',
- 'access arguments' => array($category->category)
+ 'access arguments' => array(1, $category->category)
);
}
return $data;
@@ -462,12 +466,12 @@ function profile_categories() {
/**
* Menu item access callback - check if a user has access to a profile category.
*/
-function profile_category_access($category) {
- if (user_access('administer users')) {
+function profile_category_access($account, $category) {
+ if (user_access('administer users') && $account->uid > 0) {
return TRUE;
}
else {
- return db_result(db_query("SELECT COUNT(*) FROM {profile_fields} WHERE category = '%s' AND visibility <> %d", $category, PROFILE_HIDDEN));
+ return user_edit_access($account) && db_result(db_query("SELECT COUNT(*) FROM {profile_fields} WHERE category = '%s' AND visibility <> %d", $category, PROFILE_HIDDEN));
}
}
diff --git a/modules/search/search.module b/modules/search/search.module
index 7a4c69c..b7ca869 100644
--- a/modules/search/search.module
+++ b/modules/search/search.module
@@ -194,6 +194,7 @@ function search_menu() {
'description' => 'View most popular search phrases.',
'page callback' => 'dblog_top',
'page arguments' => array('search'),
+ 'access arguments' => array('access site reports'),
'file' => 'dblog.admin.inc',
'file path' => drupal_get_path('module', 'dblog'),
);
diff --git a/modules/syslog/syslog.module b/modules/syslog/syslog.module
index b9810ea..5706cb1 100644
--- a/modules/syslog/syslog.module
+++ b/modules/syslog/syslog.module
@@ -32,6 +32,7 @@ function syslog_menu() {
'description' => 'Settings for syslog logging. Syslog is an operating system administrative logging tool used in systems management and security auditing. Most suited to medium and large sites, syslog provides filtering tools that allow messages to be routed by type and severity.',
'page callback' => 'drupal_get_form',
'page arguments' => array('syslog_admin_settings'),
+ 'access arguments' => array('administer site configuration'),
);
return $items;
}
diff --git a/modules/system/system.module b/modules/system/system.module
index 582997f..5f5cc34 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -9,7 +9,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.2-dev');
+define('VERSION', '6.2');
/**
* Core API compatibility.
@@ -212,18 +212,21 @@ function system_menu() {
$items['admin/compact'] = array(
'title' => 'Compact mode',
'page callback' => 'system_admin_compact_page',
+ 'access arguments' => array('access administration pages'),
'type' => MENU_CALLBACK,
'file' => 'system.admin.inc',
);
$items['admin/by-task'] = array(
'title' => 'By task',
'page callback' => 'system_main_admin_page',
+ 'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
'type' => MENU_DEFAULT_LOCAL_TASK,
);
$items['admin/by-module'] = array(
'title' => 'By module',
'page callback' => 'system_admin_by_module',
+ 'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
'type' => MENU_LOCAL_TASK,
'weight' => 2,
@@ -234,6 +237,7 @@ function system_menu() {
'position' => 'left',
'weight' => -10,
'page callback' => 'system_admin_menu_block_page',
+ 'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
);
@@ -244,6 +248,7 @@ function system_menu() {
'position' => 'right',
'weight' => -5,
'page callback' => 'system_settings_overview',
+ 'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
);
$items['admin/build'] = array(
@@ -252,6 +257,7 @@ function system_menu() {
'position' => 'right',
'weight' => -10,
'page callback' => 'system_admin_menu_block_page',
+ 'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
);
$items['admin/settings/admin'] = array(
@@ -282,6 +288,7 @@ function system_menu() {
$items['admin/build/themes/settings'] = array(
'title' => 'Configure',
'page arguments' => array('system_theme_settings'),
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_LOCAL_TASK,
);
// Theme configuration subtabs
@@ -316,15 +323,18 @@ function system_menu() {
);
$items['admin/build/modules/list/confirm'] = array(
'title' => 'List',
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_CALLBACK,
);
$items['admin/build/modules/uninstall'] = array(
'title' => 'Uninstall',
'page arguments' => array('system_modules_uninstall'),
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_LOCAL_TASK,
);
$items['admin/build/modules/uninstall/confirm'] = array(
'title' => 'Uninstall',
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_CALLBACK,
);
@@ -346,6 +356,7 @@ function system_menu() {
'title' => 'Configure an advanced action',
'page callback' => 'drupal_get_form',
'page arguments' => array('system_actions_configure'),
+ 'access arguments' => array('administer actions'),
'type' => MENU_CALLBACK,
);
$items['admin/settings/actions/delete/%actions'] = array(
@@ -353,11 +364,13 @@ function system_menu() {
'description' => 'Delete an action.',
'page callback' => 'drupal_get_form',
'page arguments' => array('system_actions_delete_form', 4),
+ 'access arguments' => array('administer actions'),
'type' => MENU_CALLBACK,
);
$items['admin/settings/actions/orphan'] = array(
'title' => 'Remove orphans',
'page callback' => 'system_actions_remove_orphans',
+ 'access arguments' => array('administer actions'),
'type' => MENU_CALLBACK,
);
@@ -429,6 +442,7 @@ function system_menu() {
'title' => 'Date and time lookup',
'type' => MENU_CALLBACK,
'page callback' => 'system_date_time_lookup',
+ 'access arguments' => array('administer site configuration'),
'file' => 'system.admin.inc',
);
$items['admin/settings/site-maintenance'] = array(
@@ -485,18 +499,21 @@ function system_menu() {
$items['admin/reports/status/run-cron'] = array(
'title' => 'Run cron',
'page callback' => 'system_run_cron',
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_CALLBACK,
'file' => 'system.admin.inc',
);
$items['admin/reports/status/php'] = array(
'title' => 'PHP',
'page callback' => 'system_php',
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_CALLBACK,
'file' => 'system.admin.inc',
);
$items['admin/reports/status/sql'] = array(
'title' => 'SQL',
'page callback' => 'system_sql',
+ 'access arguments' => array('administer site configuration'),
'type' => MENU_CALLBACK,
'file' => 'system.admin.inc',
);
diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module
index af40899..da4d2a1 100644
--- a/modules/taxonomy/taxonomy.module
+++ b/modules/taxonomy/taxonomy.module
@@ -128,6 +128,7 @@ function taxonomy_menu() {
'title' => 'Add vocabulary',
'page callback' => 'drupal_get_form',
'page arguments' => array('taxonomy_form_vocabulary'),
+ 'access arguments' => array('administer taxonomy'),
'type' => MENU_LOCAL_TASK,
'parent' => 'admin/content/taxonomy',
'file' => 'taxonomy.admin.inc',
@@ -137,6 +138,7 @@ function taxonomy_menu() {
'title' => 'Edit vocabulary',
'page callback' => 'taxonomy_admin_vocabulary_edit',
'page arguments' => array(5),
+ 'access arguments' => array('administer taxonomy'),
'type' => MENU_CALLBACK,
'file' => 'taxonomy.admin.inc',
);
@@ -144,6 +146,7 @@ function taxonomy_menu() {
$items['admin/content/taxonomy/edit/term'] = array(
'title' => 'Edit term',
'page callback' => 'taxonomy_admin_term_edit',
+ 'access arguments' => array('administer taxonomy'),
'type' => MENU_CALLBACK,
'file' => 'taxonomy.admin.inc',
);
@@ -183,6 +186,7 @@ function taxonomy_menu() {
'title' => 'Add term',
'page callback' => 'taxonomy_add_term_page',
'page arguments' => array(3),
+ 'access arguments' => array('administer taxonomy'),
'type' => MENU_LOCAL_TASK,
'parent' => 'admin/content/taxonomy/%taxonomy_vocabulary',
'file' => 'taxonomy.admin.inc',
diff --git a/modules/tracker/tracker.module b/modules/tracker/tracker.module
index c3e4cd1..d1d2555 100644
--- a/modules/tracker/tracker.module
+++ b/modules/tracker/tracker.module
@@ -33,11 +33,11 @@ function tracker_menu() {
$items['tracker/all'] = array(
'title' => 'All recent posts',
'type' => MENU_DEFAULT_LOCAL_TASK,
- 'access callback' => 'user_is_logged_in',
);
- $items['tracker/%user_current'] = array(
+ $items['tracker/%user_uid_optional'] = array(
'title' => 'My recent posts',
- 'access callback' => 'user_is_logged_in',
+ 'access callback' => '_tracker_myrecent_access',
+ 'access arguments' => array(1),
'page arguments' => array(1),
'type' => MENU_LOCAL_TASK,
);
@@ -46,6 +46,8 @@ function tracker_menu() {
'title' => 'Track',
'page callback' => 'tracker_page',
'page arguments' => array(1, TRUE),
+ 'access callback' => '_tracker_user_access',
+ 'access arguments' => array(1),
'type' => MENU_LOCAL_TASK,
'file' => 'tracker.pages.inc',
);
@@ -55,3 +57,19 @@ function tracker_menu() {
);
return $items;
}
+
+/**
+ * Access callback for tracker/%user_uid_optional
+ */
+function _tracker_myrecent_access($account) {
+ // This path is only allowed for authenticated users looking at their own posts.
+ return $account->uid && ($GLOBALS['user']->uid == $account->uid) && user_access('access content');
+}
+
+/**
+ * Access callback for user/%user/track
+ */
+function _tracker_user_access($account) {
+ return user_view_access($account) && user_access('access content');
+}
+
diff --git a/modules/trigger/trigger.module b/modules/trigger/trigger.module
index 3878804..d9d9793 100644
--- a/modules/trigger/trigger.module
+++ b/modules/trigger/trigger.module
@@ -49,6 +49,7 @@ function trigger_menu() {
'title' => 'Content',
'page callback' => 'trigger_assign',
'page arguments' => array('node'),
+ 'access callback' => 'trigger_access_check',
'access arguments' => array('node'),
'type' => MENU_LOCAL_TASK,
'file' => 'trigger.admin.inc',
@@ -57,6 +58,7 @@ function trigger_menu() {
'title' => 'Users',
'page callback' => 'trigger_assign',
'page arguments' => array('user'),
+ 'access callback' => 'trigger_access_check',
'access arguments' => array('user'),
'type' => MENU_LOCAL_TASK,
'file' => 'trigger.admin.inc',
@@ -83,6 +85,7 @@ function trigger_menu() {
'title' => 'Cron',
'page callback' => 'trigger_assign',
'page arguments' => array('cron'),
+ 'access arguments' => array('administer actions'),
'type' => MENU_LOCAL_TASK,
'file' => 'trigger.admin.inc',
);
@@ -112,6 +115,7 @@ function trigger_menu() {
'description' => 'Unassign an action from a trigger.',
'page callback' => 'drupal_get_form',
'page arguments' => array('trigger_unassign'),
+ 'access arguments' => array('administer actions'),
'type' => MENU_CALLBACK,
'file' => 'trigger.admin.inc',
);
diff --git a/modules/user/user.module b/modules/user/user.module
index 7cca337..8bc0321 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -867,6 +867,9 @@ function user_view_access($account) {
);
}
+/**
+ * Access callback for user account editing.
+ */
function user_edit_access($account) {
return (($GLOBALS['user']->uid == $account->uid) || user_access('administer users')) && $account->uid > 0;
}
@@ -956,6 +959,7 @@ function user_menu() {
$items['admin/user/user/create'] = array(
'title' => 'Add user',
'page arguments' => array('create'),
+ 'access arguments' => array('administer users'),
'type' => MENU_LOCAL_TASK,
'file' => 'user.admin.inc',
);
@@ -988,6 +992,7 @@ function user_menu() {
$items['admin/user/roles/edit'] = array(
'title' => 'Edit role',
'page arguments' => array('user_admin_role'),
+ 'access arguments' => array('administer permissions'),
'type' => MENU_CALLBACK,
'file' => 'user.admin.inc',
);
@@ -1006,18 +1011,21 @@ function user_menu() {
$items['admin/user/rules/add'] = array(
'title' => 'Add rule',
'page callback' => 'user_admin_access_add',
+ 'access arguments' => array('administer permissions'),
'type' => MENU_LOCAL_TASK,
'file' => 'user.admin.inc',
);
$items['admin/user/rules/check'] = array(
'title' => 'Check rules',
'page callback' => 'user_admin_access_check',
+ 'access arguments' => array('administer permissions'),
'type' => MENU_LOCAL_TASK,
'file' => 'user.admin.inc',
);
$items['admin/user/rules/edit'] = array(
'title' => 'Edit rule',
'page callback' => 'user_admin_access_edit',
+ 'access arguments' => array('administer permissions'),
'type' => MENU_CALLBACK,
'file' => 'user.admin.inc',
);
@@ -1025,6 +1033,7 @@ function user_menu() {
'title' => 'Delete rule',
'page callback' => 'drupal_get_form',
'page arguments' => array('user_admin_access_delete_confirm'),
+ 'access arguments' => array('administer permissions'),
'type' => MENU_CALLBACK,
'file' => 'user.admin.inc',
);
@@ -1037,7 +1046,7 @@ function user_menu() {
'file' => 'user.pages.inc',
);
- $items['user/%user_current'] = array(
+ $items['user/%user_uid_optional'] = array(
'title' => 'My account',
'title callback' => 'user_page_title',
'title arguments' => array(1),
@@ -1092,8 +1101,8 @@ function user_menu() {
'title arguments' => array($category['title']),
'page callback' => 'user_edit',
'page arguments' => array(1, 3),
- 'access callback' => isset($category['access callback']) ? $category['access callback'] : TRUE,
- 'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(),
+ 'access callback' => isset($category['access callback']) ? $category['access callback'] : 'user_edit_access',
+ 'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(1),
'type' => MENU_LOCAL_TASK,
'weight' => $category['weight'],
'load arguments' => array('%map', '%index'),
@@ -1110,8 +1119,8 @@ function user_init() {
drupal_add_css(drupal_get_path('module', 'user') .'/user.css', 'module');
}
-function user_current_load($arg) {
- return user_load($arg ? $arg : $GLOBALS['user']->uid);
+function user_uid_optional_load($arg) {
+ return user_load(isset($arg) ? $arg : $GLOBALS['user']->uid);
}
/**
@@ -1156,7 +1165,7 @@ function user_category_load($uid, &$map, $index) {
/**
* Returns the user id of the currently logged in user.
*/
-function user_current_to_arg($arg) {
+function user_uid_optional_to_arg($arg) {
// Give back the current user uid when called from eg. tracker, aka.
// with an empty arg. Also use the current user uid when called from
// the menu with a % for the current account link.