Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
After sending a private message an anonymous user is presented with the option to create a folder. After creating a folder they ca ten view folders and see all sent messages from all anonymous users.
Wow, this is not good!
Comments
Comment #1
dalinI've modified privatemsg_page() to check if the user is logged in for all operations except 'msgto' and 'send'.
This should definately be reviewed and commited.
Comment #2
dalinchanging to CVS
Comment #3
mindless CreditAttribution: mindless commentedThis is a good start, as it blocks the operations we don't want guests to perform. However, guests still see some links they shouldn't (that will lead to access-denied with this change). I'll try to hunt those down too.
Comment #4
mindless CreditAttribution: mindless commentedFix applied to HEAD and DRUPAL-4-7. Now if you grant anonymous access to privatemsg, guests can only send private messages.
Comment #5
(not verified) CreditAttribution: commented