My images uploaded via image_import can be edited by anonymous (unlogged-in) visitors to the site. Image nodes created directly by the image module are not affected.

I need some way to secure the images and ensure that image_import does not do this again in the future.

I can supply a web url to the developers, but meanwhile it is a huge security hole...

Comments

Zed Pobre’s picture

Zed Pobre CreditAttribution: Zed Pobre commented

Are you running any access control modules?

mariuss’s picture

mariuss CreditAttribution: mariuss commented

Just run into the same problem.

The issue is the fact that the user id is left to be zero for imported images, and this amounts to anonymous. Since each user can edit own images, anonymous users will be allowed to edit all imported images.

In order to fix run the following SQL script:
UPDATE node SET uid=1 WHERE type='image' AND uid=0

Instead of 1 you can use some other user id.

kilolima’s picture

kilolima CreditAttribution: kilolima commented

Thanks Mariuss, that fixed it for me.