Issue status update for http://drupal.org/node/25605 Project: Drupal Version: 4.6.1 Component: user system Category: bug reports Priority: critical Assigned to: Robin Monks Reported by: nysus Updated by: Jose A Reyero Status: patch Attachment: http://drupal.org/files/issues/user_anonymous_noedit.patch (701 bytes) I've tried both patches, both seem to apply, both work, with the only difference that Killes's still allows Administrator to edit anonymous account. But both patches fail to protect custom profile fields (If you create custom profile fields, any user still can access categories of profile fields for user 0). So I propose this one, which removes all operations for user 0. Jose A Reyero Previous comments: ------------------------------------------------------------------------ June 23, 2005 - 14:06 : nysus Any user, anonymous or otherwise, can go to /user/0/edit and edit the account of the anonymous user. ------------------------------------------------------------------------ June 24, 2005 - 12:20 : Robin Monks I'll take care of this one :-) CONFIRMED on WinXP/Xitami CVS Robin ------------------------------------------------------------------------ June 24, 2005 - 12:41 : Robin Monks Attachment: http://drupal.org/files/issues/annon.user.edit.fix (1.92 KB) Here is the patch. It removes the /edit and /delete operation from user 0. Tested to work on CVS HEAD. Robin ------------------------------------------------------------------------ June 24, 2005 - 17:32 : killes@www.drop.org Attachment: http://drupal.org/files/issues/user-edit-fix.patch (999 bytes) The patch didn't apply on head. I also like my solution better. ;) ------------------------------------------------------------------------ June 27, 2005 - 20:17 : Dries killes: your patch looks broken. Shouldn't $user->uid be arg(1)? ------------------------------------------------------------------------ June 27, 2005 - 20:31 : killes@www.drop.org One of us is confused, but who? I don't think that $user->uid has to be == arg(1). it is a global var. ------------------------------------------------------------------------ June 28, 2005 - 12:31 : Robin Monks Anyways, my patch still applies (chx had concerns earlier, but the patch was made correctly and seems to be OK). And it's been tested to work. I also like the fact that mine covers the entire user, and not just the edit portion. Robin ------------------------------------------------------------------------ July 1, 2005 - 05:39 : mfb With killes' patch I was still able to fill out the edit form at user/0/edit , user/0./edit or user/0.0/edit to create a new user. +1 for Robin's patch, which needs to be converted from DOS to UNIX format.