Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This issue is to manage the patch I am putting together fixing a bunch of bugs ready for a new beta 2 release. In particular I intend to fix all security issues. I've just volunteered to be a co-maintainer for the project and hopefully we can shortly get a safe release.
I will tag all issues with "BETA2". I've also listed some here, especially security issues. I started doing that, but there are too many so they won't all be listed here, so trust the tag.
Security issues are as follows:
- I raised a security issue through the separate security channel. I have since been given clearance by the security team to publish a link to that issue because the D6 release has been deleted, and the D7 release is only Beta. See https://security.drupal.org/node/146273. However I think that issue doesn't contain any information that isn't also listed here, so you don't necessarily have to read it.
- Since my security issue was raised, the maintainer removed the advice to set 'administer users' permission. To make the code work without that permission, we need to address #1717876: Remove dependency on 'Administer users' permission.
- And also re-enable access to admin/people, along the lines of #1776666: Unable to access admin/people even if users have the ability to create new users.. However rather than calling the new permission 'access users overview', I think we need a reduced version of 'administer users', let's call it 'delegated administer users' or something like that.
- And ideally get Views working properly along the lines of #1785554: Views integration - user edit link should take into consideration our new permissions., but also fix the cancel link.
- Bulk block/unblock does not respect permissions #1670954: User who doesn't have edit permission can block/unblock any user and see also #1894578: Enforce correct permissions for block-unblock user.
- Anonymous user can access user/0/edit and create account #2054307: Anonymous user can access user/0/edit and create account
- Ensure error messages don't leak private information #2347461: Error messages should not show user names to unauthorized users.
- Doesn't respect 'change own username' #2056591: Doesn't respect 'change own username' permission .
- "XX and other roles" permission can give access when it shouldn't #2379013: "XX and other roles" permission can give admin access by accident
Other issues
- Not strictly a security issues, but if doing a fairly major rework, we should potentially fix bugs relating to the fact that the permission names have the role names in. Roles might be renamed #2311313: Changing role names loses permissions or translated #2026585: Internal permission name depends on current language and things break.
Comment | File | Size | Author |
---|---|---|---|
#6 | administerusersbyrole-beta2-2378869-6.patch | 14.37 KB | AdamPS |
Comments
Comment #1
AdamPS CreditAttribution: AdamPS commentedComment #2
AdamPS CreditAttribution: AdamPS commentedComment #3
AdamPS CreditAttribution: AdamPS commentedComment #4
ar-jan CreditAttribution: ar-jan commentedI just want to say it's good to see you're working on this!
Comment #5
AdamPS CreditAttribution: AdamPS commentedThere are so many issues to fix that it's simply not practical to have a separate patch for each one. Here is a summary of the changes in this patch and why. Yes, I am aware I haven't uploaded the patch yet - I want to upload the description first so that people don't start using it without knowing what they are getting.
1) Permissions (administerusersbyrole_permission)
2) Menus (hook_menu_alter).
3) Calculation of access (_administerusersbyrole_can_*)
4) Views - just minor tidy up
Comment #6
AdamPS CreditAttribution: AdamPS commentedOK, here is my first version of the patch. Comments, success/bug reports and questions welcome. Those of you that have indicate on other issues that you would like to have a working version of the module - I need your help now to test, review, criticise and so on.
This is my first try at being a module maintainer so please forgive my mistakes in following the correct process.
Using the patch
Updated instructions to use this module:
Key points:
Comment #8
AdamPS CreditAttribution: AdamPS commentedComment #9
AdamPS CreditAttribution: AdamPS commentedGiven that the changes to make it secure have led to some changes in the permissions, and there isn't a clean upgrade, I have decided it's best to make a version 2 of the module. Please check out the dev release that should be available shortly.
Comment #10
AdamPS CreditAttribution: AdamPS commentedFixes now available in latest release
Comment #11
ciss CreditAttribution: ciss at yousign GmbH commentedI know this comes awfully late, but I'm somewhat surprised to see that using role IDs was considered a solution. This creates huge problems with exported roles that are hard to work around.
From what I've seen in the diffs the actual fix would have been to not rely on user_roles() (which uses a query that is tagged with "translatabe") but instead query the role names directly. Role name changes could have easily been tracked in hook_user_role_presave().
Any chance we could go back to using names? It's the next best thing we have to machine names in D7. I'd be happy to open an issue and start working on it.
Comment #12
AdamPS CreditAttribution: AdamPS at AlbanyWeb commented@ciss This is a meta-issue so not the best place for specific issue debating. I suggest the best place for you to look is the more recent issue #2414853: Errors after export and re-import via features . Please read that and add a comment there if you wish.
Bear in mind a) this problem goes away with D8 and b) we have a stable release now (yes you are awfully late!) and renaming the permissions would be a complexity with potential bugs for all users. It might be most realistic for you to create a patch which you apply locally and share it here for anyone else who also wants it. I doubt there will be a lot of new releases to D7. Also it might be easier if your comments could stick to the facts without sharing your personal thoughts on what is "huge" and "easily" done.
Comment #13
ciss CreditAttribution: ciss as a volunteer commented@AdamPS I'm sorry if I sounded too harsh and offended you. I commented on this issue because it provided the best context (as the changes were introduced in a commit that references this issue).
Since the other issue references the D8 branch I'll post the patch to a new issue (even if it will have no chance of getting committed). It might take a few weeks since we've decided to use a rather dirty workaround for now, but hopefully I'll be able to put my money where my mouth is.
Comment #14
AdamPS CreditAttribution: AdamPS at AlbanyWeb commentedNo problem, no offense taken - I should have put a smiley. It's definitely valuable to have the patch available for anyone who wants it. Please link your new issue from the existing one.
Comment #15
ciss CreditAttribution: ciss at yousign GmbH commentedFYI we've worked around the issue by using role_export. And even without role_export the problem of exporting roles consistently would probably still be outside of this module's scope (not to mention there are other alternatives like the available feature hooks, and Features itself already does some permission string rewriting for taxonomies).
Whoever reads this: there won't be any patch coming from us.