anonymous user can visit user/0/edit

Can no longer be duplicated. Setting to fixed.

This bug isn't fixed as of 4.7.0-rc3. Anonymous users may still access user/0/edit. yogadex's patch won't apply for -rc3, so I've modified it to do so.

Confirmed, current HEAD allows anonymous users to access user/0/edit (but not user/0/track or user/0/view).

confirmed bug. attached patch fixes a problem in the last patch. a typo ("selv" vs. "self") prevented non-admin users from being able to edit their own profiles. others should review, since this is critical, but i'd say this patch is RTBC...

-derek

Not sure about the patch. Shoud user/0 be accessible? Should admins be able to edit the anonymous user? The anonymous user name is set at ?q=admin/settings. If no one should be able to access that page, we should generate 404s, not 403s ...

good point, dries. when i posted that patch, i was under the mistaken impression this was a gaping security hole because i was thinking in unix terms: uid==0 is root. now that it's clear we're just talking about the anonymous user, then yeah, we probably just don't want that page visible at all. new patch with a new approach. b/c of how the menu stuff works (walking up the menu tree automatically), any path of [site]/user/X will land on [site]/user anyway. i'm not sure if it's a good idea to explicity set paths for all these that point to 404 pages, etc. anyway, attached patch just doesn't register any of these menu callback paths if the uid is 0. what do y'all think?

in case that last post wasn't clear. the result of user_no_edit_0.patch.1 is that if the anonymous user navigates to [site]/user/0/edit, they'll land on [site]/user, which is the login page. that seems reasonable to me (and it's a tiny diff).

Committed to HEAD. Thanks.