Anonymous users can edit anonymously posted images [#64883]

If you allow users who aren't logged in post images then the permissions checking allows any other user also not logged in edit it.

I've added a perm 'edit own images' and added to the access check - same as stories.module

Very simple patch made on 4.7.0 works on cvs too - there is a copy for 4.6.0 on http://docs.indymedia.org/view/Devel/ImcDrupalDev#Downloads

Comment	File	Size	Author
#1	image.module.20060523.patch.txt	753 bytes	ekes
	image-4.7.0.module.patch.txt	469 bytes	ekes

Comments

Comment #1

ekes commented 23 May 2006 at 09:17

Status	File	Size
new	image.module.20060523.patch.txt	753 bytes

Patch with all the descriptive stuff attached

Comment #2

ekes commented 25 May 2006 at 19:42

Same problem (same auth code) patched and fixed in Audio http://drupal.org/node/64889

Comment #3

jraper@groups.drupal.org commented 25 May 2006 at 23:07

Sorry if this is a dumb question -- Would I be correct in assuming that this patch will only be operative while the original anonymous user's session is in force. If so, is the image effectively "locked" to all anonymous users (including the originator) thereafter? Just trying to understand this change's implications.

Comment #4

ekes commented 4 June 2006 at 09:58

Yes, well if you don't want anonymous users (read anyone) to be able to edit posts made anonymously then if someone makes a post anonymousiy they won't be able to edit it. This is normal behaviour for Drupal modules - see story for example.

I don't think this bug effects many people, as they don't allow anonymous image posting... but some of us do. So for us please make the fuction of image consistent with other modules - above does it :-)

Comment #5

allie micka

she/her

commented 29 June 2006 at 20:23

Priority:	Normal	» Critical
Status:	Needs review	» Reviewed & tested by the community

I'm making this "critical" because it opens a rather significant security hole when you delete a user and her content is set to uid=0. All images created by the deleted user become world-writeable. Which is bad.

RTBC.

Thanks!

Comment #6

walkah commented 13 July 2006 at 01:10

Title:	Anonymous users can edit anonymously posted images	» Anonymous users can edit anonymously posted images
Status:	Reviewed & tested by the community	» Fixed

committed. thanks!

Comment #7

(not verified) commented 27 July 2006 at 01:15

Status:

Fixed

» Closed (fixed)

Anonymous users can edit anonymously posted images

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

News items

Our community

Documentation

Drupal code base

Governance of community