[drupal-devel] [bug] The anonymous user account can be edited

Fri Jul 1 15:25:28 UTC 2005

Issue status update for http://drupal.org/node/25605

 Project:      Drupal
 Version:      4.6.1
 Component:    user system
 Category:     bug reports
 Priority:     critical
 Assigned to:  Robin Monks
 Reported by:  nysus
 Updated by:   Chris Johnson
 Status:       patch

I've always thought that the administrator should be able to edit uid ==
0 (the anonymous user) and that ALL of drupal should use the username
provided by the administrator in that record as the name of the
anonymous user to display (with a default to t('anonymous')).  Likewise
for anything else about the anonymous user that might ever be displayed.

Handling of the anonymous user has been schizophrenic.  I patched it
once, but then development moved things around in the 'variable' usage
of anonymous so much that my patch no longer applied and making it work
again would have taken a large amount of work, so I never re-developed
it.  But it's still the right way to do it: 
http://drupal.org/node/5639

Chris Johnson

Previous comments:
------------------------------------------------------------------------

June 23, 2005 - 07:06 : nysus

Any user, anonymous or otherwise, can go to /user/0/edit and edit the
account of the anonymous user.

------------------------------------------------------------------------

June 24, 2005 - 05:20 : Robin Monks

I'll take care of this one :-)

CONFIRMED on WinXP/Xitami CVS

Robin

------------------------------------------------------------------------

June 24, 2005 - 05:41 : Robin Monks

Attachment: http://drupal.org/files/issues/annon.user.edit.fix (1.92 KB)

Here is the patch.  It removes the /edit and /delete operation from user
0.

Tested to work on CVS HEAD.

Robin

------------------------------------------------------------------------

June 24, 2005 - 10:32 : killes at www.drop.org

Attachment: http://drupal.org/files/issues/user-edit-fix.patch (999 bytes)

The patch didn't apply on head. I also like my solution better. ;)

------------------------------------------------------------------------

June 27, 2005 - 13:17 : Dries

killes: your patch looks broken.  Shouldn't $user->uid be arg(1)?

------------------------------------------------------------------------

June 27, 2005 - 13:31 : killes at www.drop.org

One of us is confused, but who?

I don't think that $user->uid  has to be == arg(1). it is a global var.

------------------------------------------------------------------------

June 28, 2005 - 05:31 : Robin Monks

Anyways, my patch still applies (chx had concerns earlier, but the patch
was made correctly and seems to be OK).  And it's been tested to work. 
I also like the fact that mine covers the entire user, and not just the
edit portion.

Robin

------------------------------------------------------------------------

June 30, 2005 - 22:39 : mfb

With killes' patch I was still able to fill out the edit form at
user/0/edit , user/0./edit or user/0.0/edit to create a new user.

+1 for Robin's patch, which needs to be converted from DOS to UNIX
format.

------------------------------------------------------------------------

July 1, 2005 - 05:25 : Jose A Reyero

Attachment: http://drupal.org/files/issues/user_anonymous_noedit.patch (701 bytes)

I've tried both patches, both seem to apply, both work, with the only
difference that Killes's still allows Administrator to edit anonymous
account.

But both patches fail to protect custom profile fields (If you create
custom profile fields, any user still can access categories of profile
fields for user 0).

So I propose this one, which removes all operations for user 0.