Hi, I have just installed Drupal, and already found a major flaw in the user system. I personally am not an expoert with CMS coding, so I shall hand the info to the people in power.
I have 3 roles in total: 2 Defaults, and one curtom made "Staff" role.
When I assign the same role to several users, when a user logs in, their username, sessions, and information is displaying the info from the last created user on that role.

Sorry if this is unclear, but if you create 2 users, then assign them both to the same role (e.g. Staff) then login to their account, you will notice that all of the users, share the details from the last assigned user in that specific Role.

If this is unclear, I urge you to contact me, as this is truly a massive flaw, and could cause security holes later on in production.

Before you say it is the cache, I know for a fact it is not. I have fully tested that theory in every way. Now let's see the magic behind this miracle of a CMS. I really love this service, and am not about to let this flaw put me off, but I really need this fixing, or if it just me being stupid with a certain setting, or if I could fix this in the database, please let me know.

Staff have my email address from this message, and from my account row in the database. Please contact me to let me know what's happening, I would like a notification to tell me that this bug is being processed.

Thank you for a great service.

Comments

keith.smith’s picture

keith.smith commented
Priority: Critical » Normal
Status: Active » Postponed (maintainer needs more info)

I tried to reproduce by:

-- creating a new role named "Staff"
-- creating two new users named user1 and user2, and making both members of the Staff role as I created them.
-- logged out, and then logged in as user1. Went to the My account page and noted that user1's email was shown (and not user2),
though user2 would have been the last user created.

Can you reply with some detailed steps regarding how this issue can be reproduced? It may well be that I am not completely understanding some element of your post.

(Changing priority until this is reproduced.)

scoutbaker’s picture

scoutbaker commented

I was unable to reproduce as well.

Steps:
Create role "Staff"
Create user "bob"
Create user "sue"
Log in as "bob" - all information is correct (user name in the Navigation block, Who's online, and viewing/editing the user profile)
Log out
Log in as "sue" - all information is correct
Log out
Assign "bob" to role "Staff"
Assign "sue" to role "Staff"
Log in as "bob" - all information is correct
Log out
Log in as "sue" - all information is correct
Log out

dpearcefl’s picture

dpearcefl commented
Status: Postponed (maintainer needs more info) » Closed (won't fix)

Closing due to lack of response.