In the default install, the drupal module is not enabled. Any user witha drupal account from a different Drupal site can login. This doesn't seem like the proper behavior.

I had to create a deny %@% to prevent this, wich only allows local accounts to be used.

Comments

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented
Assigned: Unassigned » moshe weitzman

I'll look into it. It is possible that removing drupal.module only disables inbound or only disables outbound distributed authentication. It should disable both.

Anonymous’s picture

(not verified) CreditAttribution: commented

There was a bug in 4.0.0 where drupal.module was always loaded, even if it was disabled. It is probably that causing this.

Anonymous’s picture

(not verified) CreditAttribution: commented
Priority: Minor » Critical

Time to close this.