This allows anonymous users to delete pages. The logic in the module is faulty; it is overriding the permissions on the delete action for ALL pages.

Basically, any user can delete any page unless the the user doesn't have the "delete homepage node" permission and is on the homepage.

CommentFileSizeAuthor
#5 with_patch_wrong_behavior.png61.8 KBkrina.addweb
#5 with_patch_with_permission.png78.38 KBkrina.addweb
#3 only-return-forbidden-3075515-3.patch701 bytesJoshaHubbers
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

zipymonkey created an issue. See original summary.

JoshaHubbers’s picture

JoshaHubbers CreditAttribution: JoshaHubbers commented

Thanx you for your report. I Will look into it monday.

JoshaHubbers’s picture

JoshaHubbers CreditAttribution: JoshaHubbers commented
FileSize
only-return-forbidden-3075515-3.patch701 bytes

This patch removes the "allowed" return value. Now we only return forbidden if the node should not be removed, otherwise we return neutral so in fact we don't change anything except when the permission should be revoked.

Could you please test if this patch is sufficient?

JoshaHubbers’s picture

JoshaHubbers CreditAttribution: JoshaHubbers at ezCompany commented
Status: Active » Needs review
krina.addweb’s picture

krina.addweb CreditAttribution: krina.addweb at AddWeb Solution Pvt. Ltd. commented
FileSize
with_patch_with_permission.png78.38 KB
with_patch_wrong_behavior.png61.8 KB

@JoshaHubbers, Thanks for all the efforts. I tested your patch using simplytest.me. The patch works fine without 'delete homepage node' permission for anonymous user but when the anonymous user is given 'delete homepage node' permission, then it is not allowed to delete the page. PFA. Please look into it and do the needful. Correct me if I'm wrong.

JoshaHubbers’s picture

JoshaHubbers CreditAttribution: JoshaHubbers at ezCompany commented

Thank you for your comment @krina.addweb. But I cannot think of a situation in which I would give an anonimous user the permission to delete a homepage? The Drupal permission system works that if a permission is denied, this overrules all allowed permissions. So if the anonimous user does not have the "delete page" permission, the "delete frontpage" permission will obviously not work. I think this is how it is supposed to work...

BinaryBlock’s picture

BinaryBlock
he/him/his/himself
CreditAttribution: BinaryBlock commented

@JoshaHubbers I have tested locally and the patch appears to have solved this issue.

  • JoshaHubbers authored 8c7705a on 8.x-1.x 
    Issue #3075515 by JoshaHubbers: Module allows anonymous users to delete...
JoshaHubbers’s picture

JoshaHubbers CreditAttribution: JoshaHubbers at ezCompany commented
Status: Needs review » Fixed
zipymonkey’s picture

zipymonkey CreditAttribution: zipymonkey commented

Thanks @JoshaHubber!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.