protection for openid identities
chungyc - April 2, 2009 - 11:05
| Project: | User Protect |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Description
OpenID is a core module, but User Protect does not protect the editing of OpenID identities at all, so any user with the administer user permission can add an OpenID to the administrator account and obtain a way to login as the administrator without having to edit the password.
#1
i don't know a thing about open ID, so if anybody wants this fixed, please feel free to submit a patch, and i'll review and commit if it's quality.
#2
Second that. OpenIDs changes should definetely be possible to protect.
(Would also be useful if certain roles could be notified by email on selected changes. I just filed a feature request about that. That would help delegate in a somewhat controlled manner. OpenID changes would be one of those special changes that would be extra useful to "secure"/"monitor".)
#3
here you go. adds an openid protection to all aspects of the module, including a 'change own openid' permission for users.
anybody able to try this out and see if it works ok?
#4
I tried it on my site, and the OpenID protection patch seems to be working.
#5
committed to 6.x-1.x-dev.
#6
#7
Automatically closed -- issue fixed for 2 weeks with no activity.