Anonymous users can edit anonymously posted images
ekes - May 22, 2006 - 11:10
| Project: | Image |
| Version: | 6.x-1.x-dev |
| Component: | image.module |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Description
If you allow users who aren't logged in post images then the permissions checking allows any other user also not logged in edit it.
I've added a perm 'edit own images' and added to the access check - same as stories.module
Very simple patch made on 4.7.0 works on cvs too - there is a copy for 4.6.0 on http://docs.indymedia.org/view/Devel/ImcDrupalDev#Downloads
| Attachment | Size |
|---|---|
| image-4.7.0.module.patch.txt | 469 bytes |
#1
Patch with all the descriptive stuff attached
#2
Same problem (same auth code) patched and fixed in Audio http://drupal.org/node/64889
#3
Sorry if this is a dumb question -- Would I be correct in assuming that this patch will only be operative while the original anonymous user's session is in force. If so, is the image effectively "locked" to all anonymous users (including the originator) thereafter? Just trying to understand this change's implications.
#4
Yes, well if you don't want anonymous users (read anyone) to be able to edit posts made anonymously then if someone makes a post anonymousiy they won't be able to edit it. This is normal behaviour for Drupal modules - see story for example.
I don't think this bug effects many people, as they don't allow anonymous image posting... but some of us do. So for us please make the fuction of image consistent with other modules - above does it :-)
#5
I'm making this "critical" because it opens a rather significant security hole when you delete a user and her content is set to uid=0. All images created by the deleted user become world-writeable. Which is bad.
RTBC.
Thanks!
#6
committed. thanks!
#7