with anonymous user able to edit nodes
Hello, I have strange critical issue with anonymous user being able to edit nodes. I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them. in the permissions anonymous user don't have permissions to edit anything. Idan
Le mercredi 21 juillet 2010 à 14:13 +0300, Idan Arbel a écrit :
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
Have you installed modules that plays with the node_access table? I mean, any module that alters the node access permissions ? Pierre.
Nope, none. Idan -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Pierre Rineau Sent: Wednesday, July 21, 2010 2:52 PM To: development@drupal.org Subject: Re: [development] with anonymous user able to edit nodes Le mercredi 21 juillet 2010 à 14:13 +0300, Idan Arbel a écrit :
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
Have you installed modules that plays with the node_access table? I mean, any module that alters the node access permissions ? Pierre.
Are you sure that $node->uid is > 0 ? On Wed, Jul 21, 2010 at 1:13 PM, Idan Arbel <idan@arbel-designs.com> wrote:
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
-- Paolo Mainardi CTO Twinbit Blog: http://www.paolomainardi.com -- Please consider the environment before printing this email --
Yes, possative...really strange...and I'm getting spammed because anyone can edit that content. Idan -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Paolo Mainardi Sent: Wednesday, July 21, 2010 3:07 PM To: development@drupal.org Subject: Re: [development] with anonymous user able to edit nodes Are you sure that $node->uid is > 0 ? On Wed, Jul 21, 2010 at 1:13 PM, Idan Arbel <idan@arbel-designs.com> wrote:
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
-- Paolo Mainardi CTO Twinbit Blog: http://www.paolomainardi.com -- Please consider the environment before printing this email --
I'd start with a diff of a fresh core download (of the correct version) and your site. If the server was compromised, anything is possible. Next step: start disabling modules to narrow down the problem. - Ken Winters On Jul 21, 2010, at 8:16 AM, Idan Arbel wrote:
Yes, possative...really strange...and I'm getting spammed because anyone can edit that content.
Idan
-----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org ] On Behalf Of Paolo Mainardi Sent: Wednesday, July 21, 2010 3:07 PM To: development@drupal.org Subject: Re: [development] with anonymous user able to edit nodes
Are you sure that $node->uid is > 0 ?
On Wed, Jul 21, 2010 at 1:13 PM, Idan Arbel <idan@arbel-designs.com> wrote:
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
-- Paolo Mainardi
CTO Twinbit Blog: http://www.paolomainardi.com
-- Please consider the environment before printing this email --
@Idan
From what I have seen, usually nodes are locked down completely and the issue is not being able to access content.
I would get with one of these gurus offline immediately and let them fix it for you. Then they can explain to you what was going on. </ryan> 2010/7/21 Idan Arbel <idan@arbel-designs.com>
Yes, possative...really strange...and I'm getting spammed because anyone can edit that content.
Idan
-----Original Message----- From: development-bounces@drupal.org [mailto: development-bounces@drupal.org] On Behalf Of Paolo Mainardi Sent: Wednesday, July 21, 2010 3:07 PM To: development@drupal.org Subject: Re: [development] with anonymous user able to edit nodes
Are you sure that $node->uid is > 0 ?
On Wed, Jul 21, 2010 at 1:13 PM, Idan Arbel <idan@arbel-designs.com> wrote:
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
-- Paolo Mainardi
CTO Twinbit Blog: http://www.paolomainardi.com
-- Please consider the environment before printing this email --
Is this a standard node type, or is there a module that claims owenrship? A node module has the final say in who can or cannot edit a node and may inadvertantly allow anyone to edit. I did this once early on because I didn't completely understand how access granting worked. But the first thing that I would try is to assign all those nodes to user/1. Nancy ________________________________ From: Idan Arbel I have strange critical issue with anonymous user being able to edit nodes. I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them. in the permissions anonymous user don't have permissions to edit anything. Idan
I know you checked perms, but this definitely sounds like 'edit own <content>' permission. Normally there wouldn't be any consequence of an anon user having that, but since you have anon nodes, if anon had that priv, they'd be able to edit. Also note that a cheap path forward is to use VBO or just the database to change all your anon nodes to an appropriate user, which is probably a good idea anyway. -Randy On Wed, Jul 21, 2010 at 5:13 AM, Idan Arbel <idan@arbel-designs.com> wrote:
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
-- Randy Fay Drupal Module and Site Development randy@randyfay.com +1 970.462.7450
Thanks for all the tips, I'll try disabling modules although I can't find the reason why this would happen. I can't assign the nodes to a different user because these nodes are used as content profiles, and there can be only 1 per user. Some nodes will have users attached to them but others won't at first. As for the permission, the anon user doesn't have any content permissions other than access content. And the node type is a simple cck node type. Idan From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Randy Fay Sent: Wednesday, July 21, 2010 3:52 PM To: development@drupal.org Subject: Re: [development] with anonymous user able to edit nodes I know you checked perms, but this definitely sounds like 'edit own <content>' permission. Normally there wouldn't be any consequence of an anon user having that, but since you have anon nodes, if anon had that priv, they'd be able to edit. Also note that a cheap path forward is to use VBO or just the database to change all your anon nodes to an appropriate user, which is probably a good idea anyway. -Randy On Wed, Jul 21, 2010 at 5:13 AM, Idan Arbel <idan@arbel-designs.com> wrote: Hello, I have strange critical issue with anonymous user being able to edit nodes. I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them. in the permissions anonymous user don't have permissions to edit anything. Idan -- Randy Fay Drupal Module and Site Development randy@randyfay.com +1 970.462.7450
Le mercredi 21 juillet 2010 à 16:31 +0300, Idan Arbel a écrit :
Thanks for all the tips, I'll try disabling modules although I can't find the reason why this would happen.
I can't assign the nodes to a different user because these nodes are used as content profiles, and there can be only 1 per user. Some nodes will have users attached to them but others won't at first.
As for the permission, the anon user doesn't have any content permissions other than access content.
The content_profile module doesn't have you to set any permissions for the content profiles nodes, it does all permission check logic for you. The only permissions you have to set for anonymous user are the field permissions, only if you use the content_permission module. Just leave all permissions for content profile node types empty (except for administrator or moderator roles in order to be able to moderate user profiles). If users can still edit those nodes (other than their own nodes) maybe it's a content profile bug, you should track it and may be ask for support in the module issue queue. Pierre.
I think I found the issue, contrary to what I stated at first, a permission modifying module was installed - node access. Didn't notice it at first, but after modifying it the problem has been resolved. Thanks for you assistance, I greatly appreciate it. Idan -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Pierre Rineau Sent: Wednesday, July 21, 2010 4:45 PM To: development@drupal.org Subject: Re: [development] with anonymous user able to edit nodes Le mercredi 21 juillet 2010 à 16:31 +0300, Idan Arbel a écrit :
Thanks for all the tips, I'll try disabling modules although I can't find the reason why this would happen.
I can't assign the nodes to a different user because these nodes are used as content profiles, and there can be only 1 per user. Some nodes will have users attached to them but others won't at first.
As for the permission, the anon user doesn't have any content permissions other than access content.
The content_profile module doesn't have you to set any permissions for the content profiles nodes, it does all permission check logic for you. The only permissions you have to set for anonymous user are the field permissions, only if you use the content_permission module. Just leave all permissions for content profile node types empty (except for administrator or moderator roles in order to be able to moderate user profiles). If users can still edit those nodes (other than their own nodes) maybe it's a content profile bug, you should track it and may be ask for support in the module issue queue. Pierre.
Hi What node access modules do you have installed? Have you rebuilt the node access permissions at admin/content/node-settings? You can install devel which comes with a block for testing node access. Do any of your modules implement hook_menu_alter - they could be overriding access here? Lee On Wed, 2010-07-21 at 14:13 +0300, Idan Arbel wrote:
Hello,
I have strange critical issue with anonymous user being able to edit nodes.
I have nodes created by anonymouse users (created using node import) and any anonymous user can edit them.
in the permissions anonymous user don't have permissions to edit anything.
Idan
participants (8)
-
Idan Arbel -
Ken Winters -
Lee Rowlands -
nan wich -
Paolo Mainardi -
Pierre Rineau -
Randy Fay -
Ryan LeTulle