Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There's a few little things here that are leading to scenarios where users are able to create content that they shouldn't really be able to. I had a situation where e-mails that were not associated with accounts on the site were having content created with "Anonymous" as the author. This was caused by:
- If an authenticated user manually calls cron then node_object_prepare will stick that user's uid onto the node object
- Mailcomment uses $node->uid as a way to figure out if an authentication mode has worked or not
- The node_access check uses the current global $user rather than the user on the node itself
Patch coming soon tightens up the uid and node_access calls to make sure that only real valid content comes through.
Comment | File | Size | Author |
---|---|---|---|
#1 | 735488_better_authentication_for_mailhandler_mailcomment.patch | 1.13 KB | greggles |
Comments
Comment #1
gregglesComment #2
Ian Ward CreditAttribution: Ian Ward commentedThanks Greg, I've applied your patch.