The User module issue in https://www.drupal.org/SA-CORE-2016-002 (which allowed a user to be accidentally granted all roles on the site) was fixed via a targeted, low-risk fix (see http://cgit.drupalcode.org/drupal/commit/?id=0e38d94).

But the root of the bug, as I understand it, is that the user_profile_form_submit() winds up running the user account object through entity_form_submit_build_entity(), which mangles top-level non-field-API properties on the account object. This object then winds up back in $form_state['user'].

We should look at doing a more comprehensive fix, which will fix the problem at its root and also fix it for other top-level properties besides $account->roles which could in theory suffer from a similar problem.

CommentFileSizeAuthor
#2 user-profile-form-submit-2749485-2.patch727 bytesDavid_Rothstein
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

David_Rothstein created an issue. See original summary.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Status: Active » Needs review
FileSize
user-profile-form-submit-2749485-2.patch727 bytes

Here's a patch that puts the correct, updated object into $form_state['user'] instead.

Note that the $account_unchanged variable is (already, before this patch) poorly named, but this patch makes the bad naming even more obvious :) So a further refactoring to change that variable name might be a good idea as well.