I am running a Drupal system with the roledelay module installed. The system has a custom role with the "post comments without approval" permission enabled. That way, a user account that signs up won't get the the ability to post comments until 1 hour has passed.

Well, for reasons unknown, the role delay module sometimes grants that role to the anonymous user, which lets anonymous users post comments freely. When I look at the users_roles table, this is what I see:

mysql> select * from users_roles;
+-----+-----+
| uid | rid |
+-----+-----+
| 0 | 1 |
| 0 | 4|
| 1 | 2 |
| 1 | 3 |
| 1 | 4 |
| 2 | 2 |
| 2 | 4 |
[snip]

The second row is the one that should not be there, as it gives the anonymous user access to my custom role. I can delete that row manually to prevent anonymous users from posting, but it comes back within a few hours.

I looked through my logs and found this logfile entry on 4 seperate occasions:

User added to user - posting access role. Stage one

Note the extra space following the word "User". That suggests that there should be a username in there that is not present.

Any suggestions on how to keep this happening would be appreciated. I have access to the database and can send the copies of certain MySQL tables upon request.

Thanks,

-- Doug

Comments

onionweb’s picture

onionweb commented

yes, can confirm this is happening.

onionweb’s picture

onionweb commented

if you change lines 54 and 69 from

if(!$count->count ) {

to

if(!$count->count && $user->uid!=0) {

it probably fixes it.

dmuth’s picture

dmuth commented

That sounds like a good idea. I just applied the patch on one of my sites and I'll report back if it succeeds or not.

Thanks for your help.

-- Doug

dmuth’s picture

dmuth commented

Just to follow up on this, unionweb's patch fixed the issue I was having. It should probably be committed to the roledelay module.

-- Doug

dmuth’s picture

dmuth commented

Whoops! Forgot to mention a modification I made on my end. The line should really read:

if(!$count->count && $u->uid != 0) {

$user is the user that's logged in, while $u is the user that's being operated on.

-- Doug

bugger’s picture

bugger commented
Status: Active » Needs work

Not sure this belongs here:

With permissions for annonymous user set to post comments but not access comments, gives "You are not authorized to view comments.", when attempting add new comment as annonymous user.

dmuth’s picture

dmuth commented

Bugger,

That would probably belong as a bug report for the comments module.

-- Doug

mcarbone’s picture

mcarbone commented
Status: Needs work » Fixed
Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.