Issue status update for http://drupal.org/node/25605 Project: Drupal Version: 4.6.1 Component: user system Category: bug reports Priority: critical Assigned to: Robin Monks Reported by: nysus Updated by: mfb Status: patch With killes' patch I was still able to fill out the edit form at user/0/edit , user/0./edit or user/0.0/edit to create a new user. +1 for Robin's patch, which needs to be converted from DOS to UNIX format. mfb Previous comments: ------------------------------------------------------------------------ June 23, 2005 - 06:06 : nysus Any user, anonymous or otherwise, can go to /user/0/edit and edit the account of the anonymous user. ------------------------------------------------------------------------ June 24, 2005 - 04:20 : Robin Monks I'll take care of this one :-) CONFIRMED on WinXP/Xitami CVS Robin ------------------------------------------------------------------------ June 24, 2005 - 04:41 : Robin Monks Attachment: http://drupal.org/files/issues/annon.user.edit.fix (1.92 KB) Here is the patch. It removes the /edit and /delete operation from user 0. Tested to work on CVS HEAD. Robin ------------------------------------------------------------------------ June 24, 2005 - 09:32 : killes@www.drop.org Attachment: http://drupal.org/files/issues/user-edit-fix.patch (999 bytes) The patch didn't apply on head. I also like my solution better. ;) ------------------------------------------------------------------------ June 27, 2005 - 12:17 : Dries killes: your patch looks broken. Shouldn't $user->uid be arg(1)? ------------------------------------------------------------------------ June 27, 2005 - 12:31 : killes@www.drop.org One of us is confused, but who? I don't think that $user->uid has to be == arg(1). it is a global var. ------------------------------------------------------------------------ June 28, 2005 - 04:31 : Robin Monks Anyways, my patch still applies (chx had concerns earlier, but the patch was made correctly and seems to be OK). And it's been tested to work. I also like the fact that mine covers the entire user, and not just the edit portion. Robin