Shouldn't add user 0 to the mandatory group
hadsie - August 28, 2007 - 16:37
| Project: | Organic Groups Mandatory Group |
| Version: | 4.7.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Description
In some situations when the mandatory group module is used in combination with a user access or authentication module, such as openid, the anonymous user is added to the mandatory group. This appears to be caused because an account with uid 0 is being passed around prior to the account being properly setup. If the og_mandatory_group_user hook is executed before the module that is setting up the user, then user 0 may be added to the mandatory group.
The attached patch prevents this from happening and writes a watchdog message if it tries to.
| Attachment | Size |
|---|---|
| og_mandatory_group_no_anonymous.patch | 970 bytes |
#1
Is the watchdog message needed? Does this occurance suggest an attempted security breach, or just a badly written contrib module?
#2
committed the attached minimal fix to all branches
#3