Posted by hadsie on August 28, 2007 at 4:37pm
| Project: | Organic Groups Mandatory Group |
| Version: | 4.7.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
In some situations when the mandatory group module is used in combination with a user access or authentication module, such as openid, the anonymous user is added to the mandatory group. This appears to be caused because an account with uid 0 is being passed around prior to the account being properly setup. If the og_mandatory_group_user hook is executed before the module that is setting up the user, then user 0 may be added to the mandatory group.
The attached patch prevents this from happening and writes a watchdog message if it tries to.
| Attachment | Size |
|---|---|
| og_mandatory_group_no_anonymous.patch | 970 bytes |
Comments
#1
Is the watchdog message needed? Does this occurance suggest an attempted security breach, or just a badly written contrib module?
#2
committed the attached minimal fix to all branches
#3