Here are the conditions where I ran across this bug:

I upgraded a site from 4.6.3 to 4.7 beta 3. After running update.php, my Primary & Secondary Links had disappeared. (This bug has already been reported here.)

With my real links missing, my site instead displayed the default links to "Edit Primary Links" and "Edit Secondary Links." (I'm using the bluemarine theme.) The links actually point to this URL: www.example.com/admin/themes/settings%22+class%3D%22active

Following this link takes you to the theme settings page (though the title of the page displays as "edit primary links" ... this is true even if you click the link for "edit secondary links").

Even when I am not logged in this page allows me to change the default theme of the site. When any unauthorized user changes the theme and clicks submit, an "access denied" message displays ... but the theme changes nonetheless.

Comments

GWL’s picture

GWL commented

Just out of curiosity, I tried that link on drupal.org and was properly denied access to the theme settings. So either this has already been patched in HEAD (I swear I searched) or there's something unique about my site's configuration.

FYI, no roles have been granted access to change the theme on my site. I figured someone would ask. ;)

dami’s picture

dami commented

Just to confirm I have the same problem. Updated from 4.6 to 4.7beta3, 'edit primary/secondary links' are displayed along with my primary/secondary links. Anonymous user can click the link and change default theme, and the theme does get changed though page says 'access denied'.

wpd’s picture

wpd commented

I could not reprodouce this bug with CVS Head.
Just for more information:
I checked out drupal-cvs. Created admin user. Logged in. Logged out.
Clicked on 'edit primary links' -> permission denied.

Did the same thing as above with out creating a user first. Permission denied.

Took old database dump from 4.6.3. Ran update.php. No errors. Clicked on edit secondary link. Permission denied.

All this was on Fedora Core 4 machine with:
PHP Version 5.0.4
Apache/2.0.54 (Fedora)

wpd’s picture

wpd commented

I tried with the beta-3 download and I get access denied everytime. Maybe it a PHP version dependent feature?

GWL’s picture

GWL commented

In case this is specific to a particular configuration:

The bug occurred while running Drupal 4.7 beta 3 on:
Apache 1.3.34
PHP version 4.3.11
MySQL version 4.0.25-standard

chx’s picture

chx commented
Status: Active » Fixed

Noone, including me can reproduce this. A code review reveals nothing. Everything is bound to user_access('administer site configuration');

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)