When adding an access rule there is nothing to trace it back. No logentry or watchdog is added, while it should.

We launched our website redesign in Drupal 6.3, containing exploit vulnerability we patched a week later. However, someone took use of the exploit and injected malicious data, denying access to a Googlebot. This passed by unnoticed, so after we upgraded to D6.4 the problem wasn't solved. So, we were unable to trace back when this happened.

I vote for this being logged, I reckon this option should only be accessible to site-admins and traceable.

Comments

multiplextor’s picture

Status: Active » Closed (won't fix)

Closed. The reason: expired.