Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
OpenID is a core module, but User Protect does not protect the editing of OpenID identities at all, so any user with the administer user permission can add an OpenID to the administrator account and obtain a way to login as the administrator without having to edit the password.
Comment | File | Size | Author |
---|---|---|---|
#3 | up_openid.patch | 8.45 KB | hunmonk |
Comments
Comment #1
hunmonk CreditAttribution: hunmonk commentedi don't know a thing about open ID, so if anybody wants this fixed, please feel free to submit a patch, and i'll review and commit if it's quality.
Comment #2
Leeteq CreditAttribution: Leeteq commentedSecond that. OpenIDs changes should definetely be possible to protect.
(Would also be useful if certain roles could be notified by email on selected changes. I just filed a feature request about that. That would help delegate in a somewhat controlled manner. OpenID changes would be one of those special changes that would be extra useful to "secure"/"monitor".)
Comment #3
hunmonk CreditAttribution: hunmonk commentedhere you go. adds an openid protection to all aspects of the module, including a 'change own openid' permission for users.
anybody able to try this out and see if it works ok?
Comment #4
chungyc CreditAttribution: chungyc commentedI tried it on my site, and the OpenID protection patch seems to be working.
Comment #5
hunmonk CreditAttribution: hunmonk commentedcommitted to 6.x-1.x-dev.
Comment #6
hunmonk CreditAttribution: hunmonk commented