The User module issue in https://www.drupal.org/SA-CORE-2016-002 (which allowed a user to be accidentally granted all roles on the site) was fixed via a targeted, low-risk fix (see http://cgit.drupalcode.org/drupal/commit/?id=0e38d94).
But the root of the bug, as I understand it, is that the user_profile_form_submit() winds up running the user account object through entity_form_submit_build_entity(), which mangles top-level non-field-API properties on the account object. This object then winds up back in $form_state['user'].
We should look at doing a more comprehensive fix, which will fix the problem at its root and also fix it for other top-level properties besides $account->roles which could in theory suffer from a similar problem.
Comment | File | Size | Author |
---|---|---|---|
#2 | user-profile-form-submit-2749485-2.patch | 727 bytes | David_Rothstein |
Comments
Comment #2
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedHere's a patch that puts the correct, updated object into $form_state['user'] instead.
Note that the $account_unchanged variable is (already, before this patch) poorly named, but this patch makes the bad naming even more obvious :) So a further refactoring to change that variable name might be a good idea as well.