tab menu missing on user pages

[robertgarrigos]

This module removes the tab menu on user pages:

They are back once the module is disabled:

[yorkshire-pudding]

@jenlampton - I can reproduce this error.
The offending part of code seems to be:

username_enumeration_prevention/username_enumeration_prevention.module

Lines 11 to 26 in 29af763

	/**
	* Implements hook_menu_alter().
	*/
	function username_enumeration_prevention_menu_alter(&$items) {
	$items['user/%user']['delivery callback'] = 'username_enumeration_prevention_delivery_wrapper';
	}
	/**
	* Converts 403 Access Denied responses to 404 Not Found on user profiles.
	*/
	function username_enumeration_prevention_delivery_wrapper($page_callback_result) {
	if ($page_callback_result == MENU_ACCESS_DENIED) {
	$page_callback_result = MENU_NOT_FOUND;
	}
	backdrop_deliver_html_page($page_callback_result);
	}

If I disable that particular function (or even just the hook_menu_alter function) then the problem goes away but then we go back to getting access denied on user pages.

From what I can tell, the module is looking at the menu call and then overriding if it would be access denied but if it isn't it's just returning that page as HTML without the other menu items or the containing layout.

I've tried experimenting with backdrop_deliver_page but I'm out of my depth when it comes to menu alters and I can't get it to work. Please can you take a look?

This module is a great asset in the security arsenal of a backdrop site, so it would be great if we could fix this bug.

[yorkshire-pudding]

@jenlampton @robertgarrigos - I'd like to share what I've tried so far in case either of you are able to add to it:

Within username_enumeration_prevention_menu_alter I added a wrapper around the delivery callback override:

  if (!user_access('access user profiles')) {
    $items['user/%user']['delivery callback'] = 'username_enumeration_prevention_delivery_wrapper';
  }

That improves things for the admin, but not for any user doesn't have that permission. I tried to see if I could access what user page was being called to see if it matched the uid using the $items variable, but when I did print_r($items) the answer was always 1. If we could work out which the user id of the page being called and compare that to the user id then I think we could cover all bases, but I can't figure this one out.

  global $user;
  $user_page = '?'; // get uid of user page being accessed whether accounts/username or user/1/edit

  if (!user_access('access user profiles') && $user->uid != $user_page) {
    $items['user/%user']['delivery callback'] = 'username_enumeration_prevention_delivery_wrapper';
  }

Do either of you know the way to get the $user_page variable populated as per the comment? Or, is there a better way of fixing this bug?

[yorkshire-pudding]

Oddly, I also tried:

  if (user_is_logged_in() == FALSE) {
    $items['user/%user']['delivery callback'] = 'username_enumeration_prevention_delivery_wrapper';
  }

As a fallback to basically only apply to anonymous users (also tried user_is_anonymous() and !user_is_logged_in()) and it never gets called - always returns access denied rather than page not found.

[yorkshire-pudding]

On further testing, I'm not sure that any of the tests above are actually working within this function. They stop the screen being broken but still show Access denied; so the same as disabling the function.
😕