User Relationships and User Access Control

User Relationships works well to control node access to content per an approved user list.

But the problem I am running into is that I would like to also use the core Profile module, and allow those who are connected via User Relationships to see each others user profiles. I have spent 2 hours trying to figure out a way to not allow a user to spoof the URL and see any user account (Access User Profiles permission is required to see user profiles currently).

I thought of a couple solutions to fix this. What I want to do is serve a 403 page if the URL is spoofed and the requesting开发者_Go百科 user has no access.

Here is what I was thinking:

1. Disable Access User Profile permission
2. Call hook_menu_alter or hook_menu_link_alter in a custom module
3. Change access callback to a custom function, check for user relationship
4. If no relationship exists serve a 403, otherwise return user_view

I wanted to get some thoughts on this, because I want this check to happen on the user profile page. hook_init() seemed too beefy.

Would this be an effective solution? Thoughts? Or is there a module that will allow me to do this quickly?

---

All you need: CCK Private Fields + Content Profile