Closed (duplicate)
Project:
Drupal core
Version:
7.x-dev
Component:
user.module
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
28 Jan 2010 at 17:56 UTC
Updated:
10 May 2010 at 15:26 UTC
Jump to comment: Most recent
Comments
Comment #1
dave reidThis is exactly how Drupal has worked for a long, long time, so I don't see any need to change it.
Comment #2
Anonymous (not verified) commentedDave, sorry for re-opening this, but I agree with iantresman, and feel it should be re-considered. Using the "This is exactly how Drupal has worked for a long, long time" is not a reason to perpetuate a situation, as is argued in many other issue queues.
The issue may only be an edge case, but It does happen, and I guess there are a number of people who have created websites live, and some may have missed registrations, that they then have to deal with, or maybe never even spot, leaving a security risk.
In my case, (was D6), I have one website which has been more of a playground for myself over the last 3 years, with only myself and a handful of friends knowing it existed. Obviously people looking for domains may find it as may others, but in general, its just me.
In my case I had decided to do a clean sweep of my site a few months back, and did a clean instal, put in the database details , user 1 details, activated a set of modules i normally use, and that is as far as I got. Phone rang, and family emergency. I have only just started to get back on my feet, so this website was put on hold, as no one really knew it was there. Well, on going to the site to continue the set up, I found a rogue registration.
Over the last year I have created, 5 websites , none of which allow users to create accounts.
Drupal promotes "Security" at every opportunity, with what appears to many as rapid response fixes.
So would it not be better to provide as default "Only site administrators can create new user accounts." ( or the D7 equivalent), and then allow the main admin to decide what level they want to reduce the security to for visitors, rather than force them to accept the lowest level of security ?
Please reconsider this simple feature.
Comment #3
iantresman commentedI'm still worried that after a fresh install, any opportunistic visitor can register an account on my virgin site. Since a beginner to Drupal would not consider having to lock visitors out, I still think this should be changed. Better safe than sorry.
Comment #4
dmitrig01 commentedComment #5
David_Rothstein commentedI think that this is a small enough change that it could potentially still happen for D7 (at least if it were done via the install profile rather than hardcoded as the default in the user module).
I have mixed feelings though... On the one hand, it is certainly a bit disconcerting that the default Drupal install allows (human) spammers to easily come along and do things like add comments and upload images to your site. On the other hand, one of the biggest strengths of Drupal is that it's good for community websites - so shutting this off by default doesn't seem right either.
Also, people can come along and upload spam, but unless you've granted other permissions, it won't be very effective spam since most other users won't be able to see it, and the site administrator of course can just delete it, so no real harm done. If #364159: Enable 'access comments' permission for anonymous users by default. happens things would be a bit different though.
Comment #6
dave reidDuplicate of #174972: User creation setting should be "Visitors, with admin approval"