Anonymous user gets roles granted to them
| Project: | Role Delay |
| Version: | 4.6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
I am running a Drupal system with the roledelay module installed. The system has a custom role with the "post comments without approval" permission enabled. That way, a user account that signs up won't get the the ability to post comments until 1 hour has passed.
Well, for reasons unknown, the role delay module sometimes grants that role to the anonymous user, which lets anonymous users post comments freely. When I look at the users_roles table, this is what I see:
mysql> select * from users_roles;
+-----+-----+
| uid | rid |
+-----+-----+
| 0 | 1 |
| 0 | 4|
| 1 | 2 |
| 1 | 3 |
| 1 | 4 |
| 2 | 2 |
| 2 | 4 |
[snip]
The second row is the one that should not be there, as it gives the anonymous user access to my custom role. I can delete that row manually to prevent anonymous users from posting, but it comes back within a few hours.
I looked through my logs and found this logfile entry on 4 seperate occasions:
User added to user - posting access role. Stage one
Note the extra space following the word "User". That suggests that there should be a username in there that is not present.
Any suggestions on how to keep this happening would be appreciated. I have access to the database and can send the copies of certain MySQL tables upon request.
Thanks,
-- Doug
#1
yes, can confirm this is happening.
#2
if you change lines 54 and 69 from
if(!$count->count ) {
to
if(!$count->count && $user->uid!=0) {
it probably fixes it.
#3
That sounds like a good idea. I just applied the patch on one of my sites and I'll report back if it succeeds or not.
Thanks for your help.
-- Doug
#4
Just to follow up on this, unionweb's patch fixed the issue I was having. It should probably be committed to the roledelay module.
-- Doug
#5
Whoops! Forgot to mention a modification I made on my end. The line should really read:
if(!$count->count && $u->uid != 0) {$user is the user that's logged in, while $u is the user that's being operated on.
-- Doug
#6
Not sure this belongs here:
With permissions for annonymous user set to post comments but not access comments, gives "You are not authorized to view comments.", when attempting add new comment as annonymous user.
#7
Bugger,
That would probably belong as a bug report for the comments module.
-- Doug
#8
#9
Automatically closed -- issue fixed for two weeks with no activity.