Drupal Allows Creation of Role with No Name [#14609]

It is very easy in Drupal to create a role with no name.
This should be caught; drupal should say "Sorry you must specify
a name before clicking on the "Add Role" button. The page where
this occurs is:
http:///admin/user

-rich

Comment	File	Size	Author
#1	user.module_2.patch	3.17 KB	Prometheus6

Comments

Comment #1

Prometheus6 commented 21 December 2004 at 11:40

Assigned:

Unassigned

» Prometheus6

Status	File	Size
new	user.module_2.patch	3.17 KB

This happened because a switch statement in user_configure() allowed the "Add role" (and the "Save role", and "Delete role" cases) to drop through into the processing for the "role" case after setting the return message. The "role" case calls user_admin_role(), which executes the SQL and draws the role overview and such.

The patch seperates the creation of the overview form into its own function so the form can be drawn without processing any SQL. It also changes the user_configure() switch statement so the Add, Save and Delete role cases don't drop through to the role case.

Comment #2

dries commented 22 December 2004 at 08:51

I committed an alternative fix to DRUPAL-4-5 and HEAD.

Comment #3

(not verified) commented 5 January 2005 at 09:15

Drupal Allows Creation of Role with No Name

Comments

Comment #1

Comment #2

Comment #3

News items

Our community

Documentation

Drupal code base

Governance of community