[drupal-devel] [bug] The anonymous user account can be edited

Jose A Reyero drupal-devel at drupal.org
Fri Jul 1 11:25:46 UTC 2005 

Issue status update for http://drupal.org/node/25605

 Project:      Drupal
 Version:      4.6.1
 Component:    user system
 Category:     bug reports
 Priority:     critical
 Assigned to:  Robin Monks
 Reported by:  nysus
 Updated by:   Jose A Reyero
 Status:       patch
 Attachment:   http://drupal.org/files/issues/user_anonymous_noedit.patch (701 bytes)

I've tried both patches, both seem to apply, both work, with the only
difference that Killes's still allows Administrator to edit anonymous
account.


But both patches fail to protect custom profile fields (If you create
custom profile fields, any user still can access categories of profile
fields for user 0).


So I propose this one, which removes all operations for user 0.




Jose A Reyero



Previous comments:
------------------------------------------------------------------------

June 23, 2005 - 14:06 : nysus

Any user, anonymous or otherwise, can go to /user/0/edit and edit the
account of the anonymous user.




------------------------------------------------------------------------

June 24, 2005 - 12:20 : Robin Monks

I'll take care of this one :-)


CONFIRMED on WinXP/Xitami CVS


Robin




------------------------------------------------------------------------

June 24, 2005 - 12:41 : Robin Monks

Attachment: http://drupal.org/files/issues/annon.user.edit.fix (1.92 KB)

Here is the patch.  It removes the /edit and /delete operation from user
0.


Tested to work on CVS HEAD.


Robin




------------------------------------------------------------------------

June 24, 2005 - 17:32 : killes at www.drop.org

Attachment: http://drupal.org/files/issues/user-edit-fix.patch (999 bytes)

The patch didn't apply on head. I also like my solution better. ;)




------------------------------------------------------------------------

June 27, 2005 - 20:17 : Dries

killes: your patch looks broken.  Shouldn't $user->uid be arg(1)?




------------------------------------------------------------------------

June 27, 2005 - 20:31 : killes at www.drop.org

One of us is confused, but who?


I don't think that $user->uid  has to be == arg(1). it is a global var.




------------------------------------------------------------------------

June 28, 2005 - 12:31 : Robin Monks

Anyways, my patch still applies (chx had concerns earlier, but the patch
was made correctly and seems to be OK).  And it's been tested to work. 
I also like the fact that mine covers the entire user, and not just the
edit portion.


Robin




------------------------------------------------------------------------

July 1, 2005 - 05:39 : mfb

With killes' patch I was still able to fill out the edit form at
user/0/edit , user/0./edit or user/0.0/edit to create a new user.


+1 for Robin's patch, which needs to be converted from DOS to UNIX
format.

More information about the drupal-devel mailing list