OpenID is a core module, but User Protect does not protect the editing of OpenID identities at all, so any user with the administer user permission can add an OpenID to the administrator account and obtain a way to login as the administrator without having to edit the password.

CommentFileSizeAuthor
#3 up_openid.patch8.45 KBhunmonk
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented

i don't know a thing about open ID, so if anybody wants this fixed, please feel free to submit a patch, and i'll review and commit if it's quality.

Leeteq’s picture

Leeteq CreditAttribution: Leeteq commented

Second that. OpenIDs changes should definetely be possible to protect.

(Would also be useful if certain roles could be notified by email on selected changes. I just filed a feature request about that. That would help delegate in a somewhat controlled manner. OpenID changes would be one of those special changes that would be extra useful to "secure"/"monitor".)

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented
Status: Active » Needs review
FileSize
up_openid.patch8.45 KB

here you go. adds an openid protection to all aspects of the module, including a 'change own openid' permission for users.

anybody able to try this out and see if it works ok?

chungyc’s picture

chungyc CreditAttribution: chungyc commented

I tried it on my site, and the OpenID protection patch seems to be working.

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented
Title: No protection for OpenID identities » protection for openid identities
Version: 6.x-1.2 » 7.x-1.x-dev
Status: Needs review » Fixed

committed to 6.x-1.x-dev.

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented
Version: 7.x-1.x-dev » 6.x-1.x-dev

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.