I currently discovered if I block someone while they are on the site, that they are not truly blocked (they remain logged in) and more disturbingly are assigned an administer role.

I recently used the troll module user list, to search for a user, clicked on "Block User" while the user was still on the site, and thought everything was OK. Well I noticed this user was still showing up as logged on whenever the user would visit the site. I did not think anything about it. I noticed a user complained a comment was edited. In trying to discover what caused that I noticed the blocked user was assigned an administrator role. I created a role to assign designated users who can admin the site. It does not have user 0 power but has many editing options turned on.

Well I went and tested blocking a user using it the troll module admin list and that user was able to remain logged in and was assigned the administrator role. I was able to duplicate this several times. The good thing is the user does not get all administrative priviliges because the admin menu does not show up. But this appears to be a major problem.

The admin permissions that were activated were all user admin functions, and comment editing functions.

I am currently using Drupal 5.7. I have some other modules added onto the site. I don't know what else to put, but I am willing to help you diagnose the problem. Ask the questions and I will answer them to the best of my ability.

Comments

jaydub’s picture

jaydub commented

The user session was not being deleted after a user is blocked
so I've added that as per a similar case in the abuse module

#148277: Banning does not end user session, user still able to post

As for this user gaining an admin permission well it could be
that you had not set the 'troll_block_role' variable which basically
is the role that a blocked user is assigned to. In the troll admin
settings 'admin/settings/troll/settings' you will find this role
selection option.

the Drupal function to get the user roles (user_roles()) returns
the results sorted by name. If you happened to have a role
named 'admin' then that would be at the top of the list of
roles above 'anonymous' which is a more sensible default.

So if we assume that your troll settings inadvertently had
set your 'admin' role as the role to move a blocked user
to AND the user session was never destroyed when you
blocked that user then it's possible that what you described
above could have happened.

I'll commit the session destroy change and make a new
release.

myersca’s picture

myersca commented
Status: Active » Closed (fixed)

I see and this probably was the case. Since I called the admin role admin, that was the first showing up in the list, thus the default assignment if someone is banned. Maybe the default role should be anonymous or have no role assigned by default. Thank goodness the user that was banned was not that smart, because it could have been a big problem. Thanks.

myersca’s picture

myersca commented

I can confirm that the session is now being destroyed correctly. But it is disturbing that if you reset to defaults the default role that gets selected is the first one in the list alphabetically and if someone has a role called Admin or Administrator this would be selected because of the order. It would probably be a lot better that it defaults to none or anonymous.

jaydub’s picture

jaydub commented

I've made a change to the settings page to insert a default option
on the user roles select dropdown. This will force the user to choose
a user role since the default option ( - Select Role- ) will fail during
the form validation phase.