Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
if you go directly to /admin/access/roles/edit/1 or /admin/access/roles/edit/2 you can edit and delete the roles "anonymous user" and "authenticated user"
Comment | File | Size | Author |
---|---|---|---|
#9 | protect-default-roles_2.patch | 702 bytes | rstamm |
#7 | protect-default-roles.patch | 959 bytes | rstamm |
#5 | user.module_48.patch | 950 bytes | profix898 |
user.module_47.patch | 1.01 KB | rstamm | |
Comments
Comment #1
pfaocleConfirmed here: could be a nasty one. Haven't tested patch.
Comment #2
rstamm CreditAttribution: rstamm commentedI think its a critical bug
Comment #3
wulff CreditAttribution: wulff commentedThe patch solves the problem, but wouldn't it make sense to place the if block before the database query?
Comment #4
rstamm CreditAttribution: rstamm commentedYou are right.
It's only a simple and quick solution.
Comment #5
profix898 CreditAttribution: profix898 commented+1 for Flanker's patch, works for me.
I think wulff is right, we should check before loading role object from db.
Corrected patch attached.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commentedthere are a lot of imaginary urls which don't behave properly. do we actually present this link anywhere? how does a user get to this url? this sort of defensiveness juts clutters the code IMO.
Comment #7
rstamm CreditAttribution: rstamm commentedrerolled patch
Comment #8
Kjartan CreditAttribution: Kjartan commentedPatch fails to apply.
Comment #9
rstamm CreditAttribution: rstamm commentedre-rolled
Comment #10
AmrMostafa CreditAttribution: AmrMostafa commentedApplied against latest CVS, works as expected.
While I agree with moshe in principle, I think we should fix imaginary URLs that could break Drupal, like this one. The fix ain't that big too ;-).
Very minor, may be unnecessary comment..
For code consistency, I think you should use in_array() like in line 1948:
Comment #11
chx CreditAttribution: chx commentedMost imaginary URLs are already protected by menu or other subsystem. Indeed, breaking Drupal is not a desired effect..
Comment #12
drummCommitted to HEAD.
Comment #13
(not verified) CreditAttribution: commented