Last updated August 27, 2012. Created by greggles on August 15, 2012.
Log in to edit this page.
Drupal sites can allow users to be deleted or even for users to delete themselves. This can sometimes lead to unexpected situations where anonymous users (i.e. the whole internet) are able to view or edit pages on the site which they otherwise shouldn't be able to see.
Suggested solution
For Drupal 6 and possibly Drupal 7: Rather than deleting users, simply block them.
For Drupal 7: be cautious on /admin/config/people/accounts about using the "Cancelling account" option for "Delete the account and make its content belong to the Anonymous user."
An example of problems
For Drupal 6 it's possible to encounter this bug with just Drupal core:
- Grant the "edit own page content" permission to anonymous
- Create a user "tobedeleted" and create a page with "tobedeleted" as the author
- Delete the "tobedeleted" user and note that the node created in step 2 now has Anonymous as the author
- Log out of the site and view the node
- The node can now be edited even though the user is not logged in
When combined with node access modules other situations with similar results can occur if a user is deleted instead of blocked.
Comments
How about attributing the author to another author?
I come from a Wordpress background, and in Wordpress, when the admin deletes a user, s/he will be asked to transfer the posts made by that user to another user (usually the admin him/herself). This can be used to resolve the security issue that may be created in such a scenario.