The user creation creates a security issue as it opens up an admin user with all permissions (including PHP, I guess) with a trivial password.

It also makes this profile incompatible with Hostmaster (http://drupal.org/project/hostmaster) which creates the first user when the profile is deployed, so the profile fails with a duplicate key error:

user warning: Duplicate entry '1' for key 1query: INSERT INTO users (name, pass, mail, status, uid, created, access) VALUES ('admin', 'b619f555696d41447a0e2e059103e971', 'webmaster@localhost', 1, 1, 1227822316, 1227822316) in /var/hostmaster/drupal-5.x/includes/database.mysql.inc on line 174.

Finally, that code is obsolete in Drupal 6.

here's a simple patch:

--- drupal_wiki.profile 5 Jan 2008 08:34:30 -0000       1.3
+++ drupal_wiki.profile 27 Nov 2008 21:58:59 -0000
@@ -165,10 +165,6 @@
   db_query("UPDATE {permission} SET perm = 'create book pages, edit book pages, edit own book pages, outline posts in books, see printer-friendly version, access comments, post comments, post comments without approval, access content, revert revisions, view revisions, search content, use advanced search, access user profiles' WHERE rid = 1");
   db_query("UPDATE {permission} SET perm = 'create book pages, edit book pages, edit own book pages, outline posts in books, see printer-friendly version, access comments, post comments, post comments without approval, access content, revert revisions, view revisions, search content, use advanced search, access user profiles, change own username' WHERE rid = 2");
   db_query("INSERT INTO {permission} (`rid`, `perm`, `tid`) VALUES (3, 'create book pages, create new books, edit book pages, edit own book pages, outline posts in books, see printer-friendly version, access comments, administer comments, post comments, post comments without approval, access freelinking list, access content, revert revisions, view revisions, search content, use advanced search, access user profiles, administer users, change own username', 0)");
-  // Add admin user with password 'admin'
-  db_query("INSERT INTO {users} (`uid`, `name`, `pass`, `mail`, `mode`, `sort`, `threshold`, `theme`, `signature`, `created`, `access`, `login`, `status`, `timezone`, `language`, `picture`, `init`, `data`) VALUES (1, 'admin', MD5('admin'), '', 0, 0, 0, '', '', NOW(), NOW(), 0, 1, NULL, '', '', '', NULL)");
-  // Log in administrator after installation
-  user_authenticate('admin', 'admin');
   // Add freelinking filter
   db_query("INSERT INTO {filters} (`format`, `module`, `delta`, `weight`) VALUES (%d, 'freelinking', 0, 10)", 1);
   system_initialize_theme_blocks('garland');

Comments

anarcat’s picture

anarcat commented

I forgot to mention the related hostmaster issue: http://drupal.org/node/336054

anarcat’s picture

anarcat commented
Assigned: Unassigned » anarcat
Status: Needs review » Closed (won't fix)

I have fixed the issue in hostmaster directly, sorry for the noise. I still think it's a bad practice to create a user with default passwords...