I don't have time to follow up on this one....
New user: http://drupal.org/user/164711/track
Only post is a project: http://drupal.org/project/Joedian1

CommentFileSizeAuthor
#5 project_create_needs_cvs_account.patch.txt1008 bytesdww

Comments

AjK’s picture

AjK commented
Status: Active » Fixed

project deleted and user block.

However, there was a time (I'm sure) that only users with CVS accounts were permmitted to create Project Nodes.

I will take this up with dww.

AjK’s picture

AjK commented
Component: Spam » Other
Priority: Normal » Critical
Status: Fixed » Active

Reopening issue. After testing I can see that non-cvs account holders now have the ability to create project nodes and I'm fairly certain this wasn't the case previously.

This is the first report of spam on a project node so I'm sure this change must have happened recently.

Additional info: http://drupal.org/project/addcss This project was created by user norio (http://drupal.org/user/51106). About 30mins after that he applied for his CVS account.

I'm not sure if this issue now belongs in the project issue queue but it started here so lets see where it goes.

p.s. I raised to critical as I'm not sure how many site admins have the ability to delete project nodes, it may be a limited number. If someone knows better please lower it back to normal. Thx.

webernet’s picture

webernet commented
Title: spam/experimentation? » All users can create Projects and project releases
Category: task » bug

Here is a list of some more questionable projects that have been created in the last few days...

http://drupal.org/project/hisuk
http://drupal.org/project/addcss
http://drupal.org/project/whm
http://drupal.org/project/travelportaltheme
http://drupal.org/project/footermap

dww’s picture

dww
we/he/they
commented

Perhaps having a pending (unapproved) CVS account is enough for permission to create project nodes? If so, that's evil.

dww’s picture

dww
we/he/they
commented
Project: Drupal.org site moderators » Project
Version: » 5.x-1.x-dev
Component: Other » Projects
Assigned: Unassigned » dww
Status: Active » Needs review
StatusFileSize
new project_create_needs_cvs_account.patch.txt1008 bytes

Argh, I see the bug now. :(

http://drupal.org/node/151892 is the culprit.

In project_project_access(), we're doing something silly in the 'create' case to see if we should restrict based on CVS accounts. We test to see if the project is configured to point to a CVS repository, since in 95% of the other cases, that's right. However, before the project exists, there's no repo, so this part of the test fails, and we assume we should provide permission. Yikes!

Attached patch for HEAD should fix this. Will test locally in a second.

dww’s picture

dww
we/he/they
commented
Status: Needs review » Fixed

Tested, committed to HEAD, backported and committed to DRUPAL-4-7--2, and installed on d.o.

Sorry about that!
-Derek

add1sun’s picture

add1sun commented

I went ahead and deleted the projects nodes that had no CVS activity or were totally off-base or spammy.

drewish’s picture

drewish commented

i kind of wonder if it got over fixed. now, even though i'm listed on the CVS tab, i can't create releases for projects that i'm not the owner of...

drewish’s picture

drewish commented

so it turns out that i can in fact create the release nodes for projects with cvs access but i can't edit the existing release nodes...

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)