Last updated 14 April 2016. Created on 15 August 2012.
Edited by ladybug_3777, greggles. Log in to edit this page.

Drupal sites can allow users to be deleted or even for users to delete themselves. This can sometimes lead to unexpected situations where anonymous users (i.e. the whole internet) are able to view or edit pages on the site which they otherwise shouldn't be able to see.

Suggested solution

For Drupal 6 and possibly Drupal 7: Rather than deleting users, simply block them.

For Drupal 7: Be cautious when using the "Cancel Account" functionality on /admin/config/people/accounts. The option for "Delete the account and make its content belong to the Anonymous user." may pose a security risk based on the configuration of your Anonymous user permissions.

An example of problems

For Drupal 6 it's possible to encounter this bug with just Drupal core:

  1. Grant the "edit own page content" permission to anonymous
  2. Create a user "tobedeleted" and create a page with "tobedeleted" as the author
  3. Delete the "tobedeleted" user and note that the node created in step 2 now has Anonymous as the author
  4. Log out of the site and view the node
  5. The node can now be edited even though the user is not logged in

When combined with node access modules other situations with similar results can occur if a user is deleted instead of blocked.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

ladybug_3777’s picture

This sentence seems a little confusing to me:

For Drupal 7: be cautious on /admin/config/people/accounts about using the "Cancelling account" option for "Delete the account and make its content belong to the Anonymous user."

I believe it means the preferred method (when there is existing content belonging to the user that is being removed) is to use the "Cancelling account" instead of the "Delete the account and make its content belong to the Anonymous user."

Correct? If so this should be re-written for clarity.

**Edit** After looking at the wording on the actual Drupal pages for Cancel Account I think I now understand and this section is just written in a confusing way. I am going to edit and re-write it a little for clarity.