Contrib.social

The 'access' property of hook_user_cancel_methods_alter() methods is never used

Open on Drupal.org β†’
Created on 20 November 2013, about 11 years ago
Updated 30 August 2023, over 1 year ago

hook_user_cancel_methods_alter() says you can use the 'access' property of user cancel methods to restict the user's ability to use certain methods.

user_cancel_methods() also specifies the 'access' property for one of the default methods.

This 'access' property is never actually used anywhere so this function doesn't work.

This has already been addressed in drupal 8 in #1848874: Clean up and simplify user cancel methods and processing β†’ but that issue also made other changes that aren't candidates for backporting to drupal 7.

The only way this would change existing sites is that the access rules would now be applied, which means the "Delete the account and its content." cancel method would only be usable by users who have the administer users permission, which means users with the "select account cancellation method" permission would no longer be able to delete their own account and all its content unless they also have the administer users permission.

One way around that would be to also remove the
'access' => user_access('administer users'),
part of the 'user_cancel_delete' method in the user_cancel_methods() function.

Then the only issue is that there would be a difference between the defaults in drupal 7 & 8, which isn't a huge issue as drupal 8 has plenty of changes from drupal 7.

πŸ› Bug report
Status

Needs work

Version

7.0 ⚰️

Component
User moduleΒ  β†’

Last updated 7 days ago

Created by

πŸ‡¦πŸ‡ΊAustralia rooby

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom james.williams

    Re-rolled patch because previous one didn't apply.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 7.4 & PostgreSQL 9.5
    last update over 1 year ago
    2,121 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    2,160 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    2,160 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 5.6 & MySQL 5.5
    last update over 1 year ago
    2,160 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 7.4 & SQLite 3.27
    last update over 1 year ago
    2,156 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & pgsql-13.5
    last update over 1 year ago
    2,121 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    2,160 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 7.2 & MySQL 5.6
    last update over 1 year ago
    2,160 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.0 & MySQL 5.7
    last update over 1 year ago
    2,160 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 5.3 & MySQL 5.5
    last update over 1 year ago
    2,160 pass
  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    Thanks for working on this. This seems like a useful security improvement. Removing the tag for tests, as there are test cases added already.

    There is one thing we should consider and that is, what if a site already has a default method Delete the account and its content. ? This option will be hidden from admin/config/people/accounts after this is committed (because a method with access could not be default) and it can cause problems. Do we need to add an update hook for all such sites to switch the default method for them? I think that probably yes.

    Found also a few minor issues:

    @@ -81,6 +81,15 @@ function user_form_test_user_account_submit($form, &$form_state) {
   $form_state['rebuild'] = TRUE;
 }
 
+
+/**
+ * Implements hook_user_cancel_methods_alter().

    There is an extra newline.

    @@ -936,6 +936,42 @@ class UserCancelTestCase extends DrupalWebTestCase {
+    // Create a user with permission to delete user accounts and administer
+    // site configurations.

    I would use "administer site configuration" (without s).

    @@ -936,6 +936,42 @@ class UserCancelTestCase extends DrupalWebTestCase {
+    $this->assertEqual(count($result), 1, t('Delete the account and make its content belong to the a a user checkbox is checked.'));

    There is a typo, I think it should be: "Delete the account and make its content belong to the Anonymous user checkbox is checked.". And I think we do not need to use t() here.

    @@ -936,6 +936,42 @@ class UserCancelTestCase extends DrupalWebTestCase {
+    $this->assertNoText('Delete the account and make its content belong to the Anonymous user.', 'Account cancellation methods that have "#access" defined in hook_user_cancel_methods_alter() are not displayed.');
+    $this->assertNoText('Delete the account and its content.', 'Account cancellation methods that have "#access" defined are not displayed.');

    It should be: ... that have "access" property defined... (without #)

    Anyway, regarding the access to the user_cancel_delete method, this looks same as in D10, so I think we are good here. We will just mention it in a change record and it should be OK.

    Thanks!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024