There are author determination statements at both line 281 and 306.

// the author will access this permission
if ($account->uid == $node->uid) {
	return TRUE;
}

These codes will assign any access permission to anonymous user when the author of the content is empty.
I've just made this simple modification and it seems be fixed.

// the author will access this permission
if ($account->uid && $account->uid == $node->uid) {
	return TRUE;
}

Comments

emptyvoid’s picture

emptyvoid CreditAttribution: emptyvoid commented
Assigned: Unassigned » emptyvoid

Thanks for catching this issue bi_ri00,

I will apply the change and test it, if it proves to not cause additional bugs I'll apply it to the dev branch for testing.

jvieille’s picture

jvieille CreditAttribution: jvieille commented

I have this problem with the dev version, but I couldn't locate the place were to modify the code

this is really critical: if permissions are given to edit own nodes, an anonymous user can do everything in it.
I was already hit by spammers using this loophole.

dreizwo’s picture

dreizwo CreditAttribution: dreizwo commented

Had a same problem! And this is really critical. To reproduce do the following:
1. Node access: Grant User to edit there own content e.g. a page
2. Create a user with rights to create at least a page
3. Login as new user
4. Create a page with at least status published
5. Take a look as anaonymous userr -> everthing works fine
6. Now delete the user created before
7. The page has now no user = anonymous
8. Rebuild rights
9. And now the anomyous user can edit the content... this is proberly a big security hole

jvieille’s picture

jvieille CreditAttribution: jvieille commented

For whatever reasons, I quite often find content without author - something buggy that erases the content author, but it can also happen intentionally when the user has the proper rights and wants a publication to be "anonymous" - he just empty the author field.

Apart specific forms were anonymous are allowed to post content (most certainly through a spam protection like Captcha), it should never be possible for anonymous to post like registered users.

dpatte’s picture

dpatte CreditAttribution: dpatte commented

Ran into this bug on a clients site. Their staff created content, then later the staff left, so they removed that username. Drupal reassigned all their content to anonymous.

Now any anonymous user can edit that content!

What is the recommended workaround for this until the module is fixed?

emptyvoid’s picture

emptyvoid CreditAttribution: emptyvoid commented

@dpatte Nothing to fix the issue is a logistical issue not a technical one.

Option 1
Instead of deleting the user, disable it.

Option 2
Use VBO (Views Bulk Operations) to change the author for all nodes (and content types) that the user authored to an alternative (like user 1 or a dedicated admin user account).

It is not the responsibility of Node access to manage users, rather to evaluate against users. The core constant of an anonymous user is a user with no UID..
This won't change and as a result means that yes as you have defined your security model it implies you could have a security hole.

Instead I would recommend adding a role of "registered" that automatically gets assigned to users when they register. Then only allow users who hold the roll of "registered" to create and edit their own content. There by not relying on the "anonymous" or "authenticated" states in Drupal, but rather a role explicitly assigned.

You could use "rules" to automatically assign the role on account creation or use "loggintoboggin" module to accomplish the same task.

dpatte’s picture

dpatte CreditAttribution: dpatte commented

I reassigned the nodes to the admin user (1) before seeing your message.

With respect, though, I believe your assessment for 'anonymous' content is incorrect. If content is owned by 'anonymous', but an anonymous user doesn't have the permission to 'edit own content', I don't understand why node access would allow him to edit anonymous content. I agree that its not the job of node access to manager users, but I would think that it is the responsibility of Node Access to respect role permissions, including 'anonymous'.

emptyvoid’s picture

emptyvoid CreditAttribution: emptyvoid commented
Status: Needs review » Closed (won't fix)

I follow your reasoning, but only rub is anonymous users are user 0 or no UID and that is any non-logged in visitor to your Drupal site. So allowing anonymous to edit content is synonymous to allowing everyone to edit it. I didn't apply your recommended code change because it would undermine the ability for admins or any user with administrative rights the ability to modify content that they did not author.

When deleting a user from the system the result is all content authored by that user is set to "0". This is a core Drupal business rule, if anything I would question the decision to have this business rule in the core of Drupal user management.

For now I would recommend training and education about the issue. You could also try creating an automated rule (via the rules module) that every time a user is deleted to update all content to a pre-defined UID/account.

I don't see any other route for the issue.

jvieille’s picture

jvieille CreditAttribution: jvieille commented
Status: Closed (won't fix) » Active

emptyvoid, I don't follow your reasoning.
Drupal core does not allow anonymous visitors to edit anonymous content unless this permission is granted.
When Node access is enabled, this logic is broken, and anonymous visitors can edit any anonymous content regardless permission settings.