I have a high volume drupal site running 4.5 (I will upgrade to the bugfix release 4.5.1 tonight, Dec 05, 04) but I have run into a bug for the second time where the record in the users table with UID 0 is erased as well as it's corresponding entry in the users_roles table. This makes it so only logged in users can do anything, everyone else gets permissions denied, because no one can be the anonymous user, hence no permissions.

Nothing in drupal logs to indicate that anyone tried to delete a user. Because of this, and because both tables are affected, and we are not using a foreign key mechanism in the db, I assume this is a bug in some module or core. I am going to setup some logging in user module first to grab pertinent information when user accounts are deleted or edited to see if I can see where this is happening.

Any help or thoughts are appreciated.

Comments

crunchywelch’s picture

crunchywelch commented

I am not sure if this is what happened, but it is possible to delete the account with UID 0 through the admin interface if you have user admin permissions. Is this desireable? I would think this should be prevented at all times since drupal relies on that account for non-logged in permission settings.

Also, you can edit the UID 0 account's profile informaiton as a non-logged in user if you manually go to /user/0/edit and select the desired tab and edit it. I would also think this should be prevented.

killes@www.drop.org’s picture

killes@www.drop.org commented

Losing the uid 0 account has happended to me as well. I think it might have been during the 4.3 to 4.4 upgrade, but I am not sure.
About editing the uid = 0 user: I could make a patch which will prohibit this if we agree that it should not be done. But I still think we shoudl abandon the Anonymous user name setting and name that user just the usual way.

killes@www.drop.org’s picture

killes@www.drop.org commented

http://drupal.org/node/5639