I just uploaded my customer website based on Drupal 6 to the Internet, the guy test the new website and found that anyone can edit any topic that post in the forums module.

I checked the permissions and found out that I didn't allow anonymous to edit forum's topics.
I re-generate the permissions but the issue still there.

Any idea?

Thanks,
Miki

Comments

vm’s picture

a screen capture of your permissions screen would help in this case. Somewhere you must be given anon user role permissions it shouldn't have.

what is exact version of drupal core?

syslin’s picture

here is a screen shots
the first image http://i29.tinypic.com/2i8yt6h.jpg show the users permissions page, module forums. Although it is in Hebrew is the same order like the English one, there you can see that for the forums module only creating topics is enabled for anonymous and members too.

the second image http://i26.tinypic.com/rr2jpi.png you can see that the user is NOT logged on (the login forms exist) and when the user watch a forum's topic he have the "Edit" tab too, he can click on it and change any topic and save it.

Any idea?
Thanks,
Miki

vm’s picture

I would inspect ALL permissions for anon users and not just the permissions on the forum.module

and again I ask, what is the exact version of Drupal in use?

sidenote: please refrain from adding a link to your site on every post and comment. Signatures on drupal.org are disabled. No need to subvert that by placing a link to your site in every thread and comment you place on drupal.org.

syslin’s picture

Hi again,
The version of Drupal is 6.10

I would not place a link to my own website again :)

Miki

pixelite’s picture

I've come across this issue when the author of a node is anonymous. This happened to me when I imported a bunch nodes and forgot to set the author, which defaulted to anonymous.

syslin’s picture

Anyone? Any idea?

Miki

vm’s picture

first thing I'd do is update to drupal 6.13 and ensure that you aren't already chasing something that has been fixed. 6.10 is 3 bug fix and securit releases behind.

syslin’s picture

Upgrade is not an option right now, need to fix the issue then I could upgrade on my development workstation, test it and upload it to the production server.

If there is no other options I'll write a patch to fix this issue.

Thanks,
Miki

Khomar’s picture

I am having the exact same issue. I have the latest version of Drupal and all plugins (confirmed this evening):

Watcher
CAPTCHA
External Links
Taxonomy Access Control Lite
Token

An anonymous user can update any of the forum topics!

Permissions for anonymous users:

access comments
access content
search content
view uploaded files

That's it.

Khomar’s picture

Now I feel dumb. I had an error in my taxonomy settings. Nothing to see here... move along.

marcushenningsen’s picture

I just had the same problem. One has to be very careful with TAC Lite, because it may combine with forum permissions in strange and unexpected ways.

vm’s picture

forums are built on taxonomy which explains why using a taxonomy access module cause some "static".

esplinter’s picture

anonymous users could edit any anonymous post in my forums. Finally I found it was for a wrong config in nodeaccess module

I had to modify the config in admin >> user settings >> nodeaccess and now it´s working ok.