Download & Extend
Nodeaccess » Issues

Nodeaccess: Strange behavior about anonymous content management

Posted by gianfrasoft on September 10, 2008 at 3:53pm
Project:Nodeaccess
Version:5.x-1.2
Component:Code
Category:bug report
Priority:critical
Assigned:Unassigned
Status:active

Issue Summary

If I clean the author's field on a new content, the author is anonymous for that one. So this is may be edited by any user, also if not logged on Drupal front-end.

Can I disable this issue without putting the author name on any content?

Thanks.

Login or register to post comments

Comments

#1

Posted by gianfrasoft on September 11, 2008 at 8:28am
Component:base system» user system
Category:task» bug report
Priority:normal» critical

#2

Posted by gianfrasoft on September 11, 2008 at 8:29am
Assigned to:gianfrasoft» Anonymous

#3

Posted by gpk on September 11, 2008 at 10:28pm

At admin -> user management -> access control, under the section "node module", how are the "edit own xxxx content" permissions set for the role "anonymous"?

#4

Posted by gianfrasoft on September 12, 2008 at 12:44pm

The edit own xxxx content permissions are ALL set to false.

#5

Posted by gpk on September 12, 2008 at 12:48pm

What happens if you disable all contrib modules? And perhaps optional core modules? And maybe clear (for now) all "edit own xxxx content" and "edit xxxx content" permissions. I can't reproduce the problem.

#6

Posted by gianfrasoft on September 12, 2008 at 1:30pm
Title:Strange behavior about anonymous content» Nodeaccess: Strange behavior about anonymous content management
Project:Drupal core» Nodeaccess
Version:5.9» 5.x-1.2
Component:user system» Code

I found problem is in Nodeaccess module, in whitch I can't exclude edit permission to anonymous user if, for the same module, the author has permission to edit content of a specific node type.

For example, if the anonymous user can only view a specific content but author can also edit id, in Nodeaccess I see something like this:

        Role                View                     Edit                      Delete
anonymous user               *
other user 1                 *
other user 2                 *
author                       *                        *                           *

I need to do this because I want that every user can edit only his own content and anoymous user can't create or edit anything on the site. But, so I can't deny anonymous user to change his own content.

Moving permission from author to other users isn't a solution because they will grant permission to edit content made by others.

It would be better if Nodeaccess module get author permissions and, after that, overwrite default role permissions for the node type denying thoese are not set. In my example on the above, anonymous user should only view his content even if he is the author.

Can I do this?

Thanks.

#7

Posted by gpk on September 12, 2008 at 2:19pm

Do you need to use nodeaccess for the nodes in question? If you just use the standard roles/permissioning system then it should work the way you want...?

#8

Posted by mrf on October 8, 2008 at 11:42pm

I just got bit by this one as well, or something very similar.

I wasn't actually using nodeaccess for anything yet, just had it installed and enabled, but hadn't touched the settings.

Seems that Drupal's default behaviour with a piece of content is to make the author anonymous if the author field is left blank. The author field was left blank after an edit, and immediately the content became editable by anyone visiting the site.

It's a dangerous default to give the author full permissions since it is so easy to make the author anonymous, or have a bunch of anonymous authored content lying around when you first enable the module.

Just to be sure, tested this out with a clean install of nodeaccess on a test site without any settings changed, and content with an empty author is immediately editable by anyone visiting the site.

#9

Posted by gianfrasoft on November 5, 2008 at 3:59pm

Thanks, mrf.

I can definetively say that the possible solutions are two:

1. add in Nodeaccess "deny edit" and "deny delete" properties with an higher priority then other properies (even on the anonymous user);
2. don't allow the Author Settings for "Node author" properties on anonymous users.

#10

Posted by astoltz on November 17, 2008 at 5:37pm

The issue here is that "edit own" permissions aren't being taken into consideration. You can verify this also by giving view/edit/delete permissions to a role (authenticated users) for example and take away all "edit any" and "edit own" permissions to the roles. You will see that you'll still have the access granted by nodeaccess.

1. add in Nodeaccess "deny edit" and "deny delete" properties with an higher priority then other properies (even on the anonymous user);

Due to how hook_node_grants is implemented, this isn't a possibility.

2. don't allow the Author Settings for "Node author" properties on anonymous users.

This may be a solution, but I think some people might want this still. Maybe a configuration option for this is the better way to go.

I think a better solution would be to implement checks for edit own, edit any, delete own, and delete any in nodeaccess_access.

#11

Posted by xjm on March 20, 2009 at 2:31pm

Any fix for this? This is a big, big security vulnerability--for example, by default, a user's nodes are assigned to Anonymous when a user is deleted. With this bug in nodeaccess, it results in anyone having author-level access to the nodes.

There's no reason for the anonymous user to be treated like other users. It's not actually a user, it's just a placeholder for no user.

#12

Posted by zohera on April 7, 2009 at 5:46am
Title:Nodeaccess: Strange behavior about anonymous content management» grant view permission to a node not working using nodeaccess untill we enable the following permission at admin -> user manageme
Version:5.x-1.2» 6.x-1.3

grant view permission to a node not working using nodeaccess untill we enable the following permission at admin -> user management -> access control, under the section "node module",
is there any solution to solve this issue ?

#13

Posted by xjm on April 10, 2009 at 7:54pm
Title:grant view permission to a node not working using nodeaccess untill we enable the following permission at admin -> user manageme» Nodeaccess: Strange behavior about anonymous content management
Version:6.x-1.3» 5.x-1.2

zohera: sounds like a separate issue, so I'd suggest creating a separate issue for it.

#14

Posted by gianfrasoft on August 18, 2009 at 8:37am
Title: Nodeaccess: Strange behavior about anonymous content management» Nodeaccess: Strange behavior about anonymous content management

About my solution:

don't allow the Author Settings for "Node author" properties on anonymous users.

andyl56 says:

This may be a solution, but I think some people might want this still... Maybe a configuration option for this is the better way to go.

Yes, I think this is the simpliest solution to a very big problem. Do we go?

#15

Posted by theunraveler on August 28, 2009 at 3:16pm

Subscribing.

#16

Posted by jbylsma on November 1, 2010 at 10:03pm
Version:5.x-1.2» 6.x-1.3

I am using the 6.x version of the module and was running into the same problems. I just wanted to ping this thread to say that I've created created a patch for 6.x at #959358: Create additional permissions for anonymous authors.

#17

Posted by jbylsma on November 1, 2010 at 10:04pm
Version:6.x-1.3» 5.x-1.2

Changing version back.

#18

Posted by mstrelan on November 22, 2010 at 3:54am

don't allow the Author Settings for "Node author" properties on anonymous users.

andyl56 says:

This may be a solution, but I think some people might want this still... Maybe a configuration option for this is the better way to go

No config option needed, that's what the Anonymous User row is for. Unless you want to give anonymous users access only to nodes where their author has been deleted. I can't see a use case for that.

#19

Posted by gianfrasoft on November 22, 2010 at 9:03am

I think a solution is becaming indispensable.

I'll check the code asap.

#20

Posted by cdangelo on April 26, 2011 at 6:29pm

Mine isn't a very good solution, but it's what I just put in place on our site while I look further into the issue and consider applying #959358: Create additional permissions for anonymous authors. I changed node_user() to reset ownership of a deleted user's content to the admin account (uid 1) rather than anonymous (uid 0). For my employer's website this is a sufficient short-term fix, but I may opt to deploy jbylsma's solution.

AttachmentSize
node-anonymous_perms-306541-20.patch 620 bytes

#21

Posted by csdco on October 20, 2011 at 3:53pm

I have disabled the node author from being able to edit any nodes and rebuilt permissions; anon is still able to edit the specific node where the author was deleted.

Edit: My bad, I should have cleared cache. The edit form was cached for anon users.

The previous comment works well, but if you don't want to hack core you can create a custom module with 1 function in it:

<?php
/**
* Implements hook_user().
*/
function mymodulename_user($op, &$edit, &$user) {
   if ($op == 'delete') {
    db_query('UPDATE {node} SET uid = 1 WHERE uid = %d', $user->uid);
    db_query('UPDATE {node_revisions} SET uid = 1 WHERE uid = %d', $user->uid);
  }
}
?>

Just make sure this module has a heavier weight than node.module.

Another edit: I wanted to be absolutely sure that an anonymous user can never edit or submit a node; on our site this is the desired behavior. The following function, thrown into a custom module, will achieve that:

<?php
function mymodulename_nodeapi(&$node, $op) {
  // Always disable anonymous editing.
  if ($op == 'prepare' || $op == 'presave' || $op == 'validate') { // Yes, this is probably overkill and only 'prepare' is likely needed.
    global $user;
    if ($user->uid == 0) {
      drupal_access_denied();
    }
  }
}
?>