Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In the default install, the drupal module is not enabled. Any user witha drupal account from a different Drupal site can login. This doesn't seem like the proper behavior.
I had to create a deny %@% to prevent this, wich only allows local accounts to be used.
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedI'll look into it. It is possible that removing drupal.module only disables inbound or only disables outbound distributed authentication. It should disable both.
Comment #2
(not verified) CreditAttribution: commentedThere was a bug in 4.0.0 where drupal.module was always loaded, even if it was disabled. It is probably that causing this.
Comment #3
(not verified) CreditAttribution: commentedTime to close this.