[drupal-devel] [bug] The anonymous user account can be edited

killes drupal-devel at drupal.org
Mon Jun 27 19:31:41 UTC 2005


Issue status update for http://drupal.org/node/25605

 Project:      Drupal
 Version:      4.6.1
 Component:    user system
 Category:     bug reports
 Priority:     critical
 Assigned to:  Robin Monks
 Reported by:  nysus
 Updated by:   killes at www.drop.org
 Status:       patch

One of us is confused, but who?


I don't think that $user->uid  has to be == arg(1). it is a global var.




killes at www.drop.org



Previous comments:
------------------------------------------------------------------------

June 23, 2005 - 15:06 : nysus

Any user, anonymous or otherwise, can go to /user/0/edit and edit the
account of the anonymous user.




------------------------------------------------------------------------

June 24, 2005 - 13:20 : Robin Monks

I'll take care of this one :-)


CONFIRMED on WinXP/Xitami CVS


Robin




------------------------------------------------------------------------

June 24, 2005 - 13:41 : Robin Monks

Attachment: http://drupal.org/files/issues/annon.user.edit.fix (1.92 KB)

Here is the patch.  It removes the /edit and /delete operation from user
0.


Tested to work on CVS HEAD.


Robin




------------------------------------------------------------------------

June 24, 2005 - 18:32 : killes at www.drop.org

Attachment: http://drupal.org/files/issues/user-edit-fix.patch (999 bytes)

The patch didn't apply on head. I also like my solution better. ;)




------------------------------------------------------------------------

June 27, 2005 - 21:17 : Dries

killes: your patch looks broken.  Shouldn't $user->uid be arg(1)?







More information about the drupal-devel mailing list