If non-admin users can see some user accounts but not others...

Quick news

2019-10-26: Presenting on NoSQL in Drupal 8 at DrupalCon Amsterdam
2019-02-15: Presenting on FranceTV Sport on Drupal 8 at DrupalCamp Paris
2018-06-08: Presenting on how to react to a hacked site at Drupal Hack Camp
2014-03-27: MongoDB Watchdog module ported to Drupal 8 at the Szeged Dev Days.
2014-01-26: My post on the Symfony web profiler in Silex selected in Week of Symfony. w00t !
2013-10-18: My first commit went into MongoDB today. And, guess what ? It's in JavaScript
2013-09-20 to 29: Working on Drupal 8 EntityAPI at the extended code sprints during and around DrupalCon Prague
2012-08-19: Working on Drupal 8 EntityAPI at Drupalcon Munich
2012-06-15: Working on Drupal 8 EntityAPI at DrupalDevDays Barcelona
2012-03-23: Working on the future Drupal Document Oriented Storage at DrupalCon Denver. D8 or later ? ~~Bets are on~~ Later

Latest sites

2017-11-26: New Drupal 8 site at Rue du Commerce, architected and tech-led by OSInet, just went throught Black Friday week with flying colors thanks to RabbitMQ
2017-05-26: New headless Drupal 8 / Symfony 3 site at FranceTV Sport, architected and tech-led by OSInet, with RabbitMQ
2017-02-20: New Drupal 8 site galaxy (+/- 70 sites) for Agences Régionales de Santé architected and tech-led by OSInet, delivered by Klee
2015-08-21: 50% less server load with MongoDB on the Drupal 7 site factory at France Télévisions
2015-07-15: Our first Drupal 8 production site at France Télévisions is live
2014-08-18: 400% speedup in 3 weeks for http://france3-regions.francetvinfo.fr/ : who said Drupal back-offices had to be slow ?
2014-02-07: Sotchi Olympics traffic not a problem for http://www.francetvsport.fr/ , which I rearchitected on Drupal 7 in 2013
2011-09-14: Completed migration of FranceInfo.FR from SPIP to Drupal
2011-07-13: The new social network features of Le Figaro are now powered by an OSInet-designed MongoDB implementation

Submitted by Frederic Marand on Wed, 2009-03-11 13:48

Add new comment

After a massive user import to a customer's site, said customer noticed that, while he could see any user profile when logged, he could only see some of them when he was not logged in, receiving an "access denied" on the other accounts.

Now, with the administer users permission, a user can see any profile, so this didn't come into consideration, but since anonymous users could see some profiles and not others, the permissions granting anonymous access to the profiles were obviously set up correctly. So what could be wrong ?

Now, to understand what's going on in such a case, a small trip to user.module is necessary. In Drupal 4.7.x and 5.x, access to user/% is controlled directly in user_menu, and the rule for such an access is as follows:

<?php$view_access = user_access('access user profiles');[..snip..]if ($user !== FALSE) {  $view_access |= $user->uid == arg(1);  $view_access &= $account->status || $admin_access;?>

...meaning any user can see his own account or any non-blocked account, assuming he has access user profiles permission, meaning this problem cannot happen. However in Drupal 6 and Drupal 7, things are a bit different, this access is now controlled by the user_view_access($account) function:

<?php// From DRUPAL-6--10 (1.892.2.12) and DRUPAL-7-0-UNSTABLE-5 (1.963)function user_view_access($account) {  return $account && $account->uid &&    (      // Always let users view their own profile.      ($GLOBALS['user']->uid == $account->uid) ||      // Administrators can view all accounts.      user_access('administer users') ||      // The user is not blocked and logged in at least once.      ($account->access && $account->status && user_access('access user profiles'))    );}?>

And the rules have slightly changed in the meantime: any user can now see his own account, or any non-blocked account which has logged in at least once, due to the test on $account->access.

So here is the key : after a mass import, most accounts will likely just have been created, and the just imported accounts won't have "access" set to a non zero value, meaning they won't be visible to any user without administer users permission. Solution: either be satisfied with it or set access to any non-zero value during the import.

Thanks

Thank you very much for your explanation! After an import, where thousands of users were created using Drupal API, some profile could not be accessed...

fgm @ OSInet

I'm @fgm@mamot.fr on Mastodon
Looking for a new project to work on, preferably Go and/or Drupal-based. Contact me, let's see how we could work together.
Have you read my Go book and its blog ?
Is your site reliably up ? Check with my Log4U uptime monitoring service.
Check my drupal.org "fgm" profile
See our OSInet pro services site.
Find me on

Follow me on LinkedIn