Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This allows anonymous users to delete pages. The logic in the module is faulty; it is overriding the permissions on the delete action for ALL pages.
Basically, any user can delete any page unless the the user doesn't have the "delete homepage node" permission and is on the homepage.
Comment | File | Size | Author |
---|---|---|---|
#5 | with_patch_wrong_behavior.png | 61.8 KB | krina.addweb |
#5 | with_patch_with_permission.png | 78.38 KB | krina.addweb |
#3 | only-return-forbidden-3075515-3.patch | 701 bytes | JoshaHubbers |
Comments
Comment #2
JoshaHubbers CreditAttribution: JoshaHubbers commentedThanx you for your report. I Will look into it monday.
Comment #3
JoshaHubbers CreditAttribution: JoshaHubbers commentedThis patch removes the "allowed" return value. Now we only return forbidden if the node should not be removed, otherwise we return neutral so in fact we don't change anything except when the permission should be revoked.
Could you please test if this patch is sufficient?
Comment #4
JoshaHubbers CreditAttribution: JoshaHubbers at ezCompany commentedComment #5
krina.addweb CreditAttribution: krina.addweb at AddWeb Solution Pvt. Ltd. commented@JoshaHubbers, Thanks for all the efforts. I tested your patch using simplytest.me. The patch works fine without 'delete homepage node' permission for anonymous user but when the anonymous user is given 'delete homepage node' permission, then it is not allowed to delete the page. PFA. Please look into it and do the needful. Correct me if I'm wrong.
Comment #6
JoshaHubbers CreditAttribution: JoshaHubbers at ezCompany commentedThank you for your comment @krina.addweb. But I cannot think of a situation in which I would give an anonimous user the permission to delete a homepage? The Drupal permission system works that if a permission is denied, this overrules all allowed permissions. So if the anonimous user does not have the "delete page" permission, the "delete frontpage" permission will obviously not work. I think this is how it is supposed to work...
Comment #7
BinaryBlock@JoshaHubbers I have tested locally and the patch appears to have solved this issue.
Comment #9
JoshaHubbers CreditAttribution: JoshaHubbers at ezCompany commentedComment #10
zipymonkey CreditAttribution: zipymonkey commentedThanks @JoshaHubber!