On this page
Deleting users who have written nodes/comments can lead to access bypass
Last updated on
19 April 2026
This documentation needs review. See "Help improve this page" in the sidebar.
Drupal sites can allow users to be deleted or even for users to delete themselves. This can sometimes lead to unexpected situations where anonymous users (i.e. the whole internet) are able to view or edit pages on the site which they otherwise shouldn't be able to see.
Suggested solution
Be cautious when using the "Cancel Account" functionality on /admin/config/people/accounts. The option for "Delete the account and make its content belong to the Anonymous user." may pose a security risk based on the configuration of your Anonymous user permissions.
Help improve this page
Page status: Needs review
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
