Noticed that I was getting notifications for new users with UID's that weren't incremental in nature (eg: 921, 922, 927, 928, 930, 932). Going to the user page (eg: /user/931 or /user/931/edit - I'm using clean url's) manually shows details for a non-existant user (no name, details, etc), rather than displaying some sort of message that the user doesn't exist.

If you are the admin and you delete this user, the system appears to delete the anonymous entry in the table 'users' and it's corresponding entry in the table 'users_roles'. It appears that the "Delete" button on the user edit page deletes the user by name, rather than by the UID.

If the anonymous entry (user UID=0) is missing, you cannot view content from nodes if you are not logged in. Logged in users see no problem.

To re-create the anonymous entry (with mysql):
INSERT INTO users (uid, name, mail) VALUES ('0', '', '');
INSERT INTO users_roles (uid, rid) VALUES (0, 1);

Note: I have confirmed that it deletes the entry in the table users_roles AND in the table users, hence why I suspect it's deleting by the name field.

I haven't tested this yet with 4.6.5, but from a review of the 4.6.5 release announcement, the bugs fixed don't seem to apply.

CommentFileSizeAuthor
#5 user.module_45.patch1.07 KBSteve Simms
#2 user.module_39.patch1.05 KBSteve Simms

Comments

Steve Simms’s picture

Steve Simms commented
Title: Inconsistent User ID's and non-existant user handling » Viewing/Editing/Deleting non-existent users
Version: 4.6.4 » x.y.z
Component: user system » user.module
Assigned: Unassigned » Steve Simms

cef mentioned two potential problems:

1) deleting users from user/___/delete seems to delete by name rather than by UID. I checked this in CVS, and that's not the case -- deleting is done by UID.

2) going to user/___ or user/___/edit for a non-existent user shows a blank form, rather than a page not found, or something like that.

Looking at user.module in HEAD, it looks like there's an || where there should be an &&, unless I'm missing something.

In user_menu:

      if ($user_exists !== FALSE || $admin_access) {
        $items[] = array('path' => 'user/'. arg(1) .'/view', 'title' => t('view'),
          'access' => $view_access, 'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
        $items[] = array('path' => 'user/'. arg(1) .'/edit', 'title' => t('edit'),
          'callback' => 'user_edit', 'access' => $admin_access || $user->uid == arg(1),
          'type' => MENU_LOCAL_TASK);
        $items[] = array('path' => 'user/'. arg(1) .'/delete', 'title' => t('delete'),
          'callback' => 'user_edit', 'access' => $admin_access,
          'type' => MENU_CALLBACK);
...

Is there any reason why someone with admin access should be able to edit and delete a non-existent user?

Steve Simms’s picture

Steve Simms commented
Status: Active » Needs review
StatusFileSize
new user.module_39.patch1.05 KB

I was originally going to attach a patch that just changed the || to an &&, but I think this is a little neater. In addition to preventing the editing and deleting of non-existent users, it prevents the editing and deleting of UID 0, and skips an unnecessary $admin_access check, since the menu items already take care of it as needed.

puregin’s picture

puregin commented

Seems that there was quite a bit of discussion about not 'special casing' the deletion of uid 0 and 1 (e.g., http://drupal.org/node/46149), so I think that perhaps it's best to stick to the original idea of just replacing the || with &&. Otherwise, this look good.

Djun

puregin’s picture

puregin commented
Status: Needs review » Needs work
Steve Simms’s picture

Steve Simms commented
Status: Needs work » Needs review
StatusFileSize
new user.module_45.patch1.07 KB

Actually, the && patch would prevent a user from editing his own account, if I'm reading the code correctly, so that wouldn't work anyway.

Here's a revised patch that removes the UID 0 special case, but is otherwise the same as the previous one.

Robrecht Jacques’s picture

Robrecht Jacques commented
Status: Needs review » Fixed

There is a check on uid > 0 now (v1.612 : http://drupal.org/node/43818)
Permissions were also checked by sa-2006-001: Custom menu items are accessible to anyone (v1.594)

A user does not have access to the view/edit/... page for a non-existing user. You get a "page not found" now.

Setting it as fixed.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)