Project

General

Profile

Actions

Patch #25483

closed

Forbid to edit/update/delete the anonymous user

Added by Holger Just over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Right now, an admin can (in principal) edit and even delete the Anonymous user via the UserController since it doesn't restrict its query to logged users. This should not be possible and doesn't seem to be intended from the surrounding code:

  • When showing the edit form for the anonymous user, a template error occurs in app/views/users/_general.html.erb.
  • When deleting the anonynmous user, all its objects will be assigned to itself and the user gets deleted. While it will be automatically recreated on next access, all its issues, journals, ... will have dangling user_ids pointing to the old anonymous user.

The attached patch restricts edit/update/delete of users to logged users. Displaying the user page of Anonymous is still supported. The Patch was extracted from Planio.


Files

Actions #1

Updated by Go MAEDA over 7 years ago

  • Target version set to 3.4.0

Confirmed the problem. Setting target version to 3.4.0.
Thank you for sharing the patch.

Actions #2

Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang

Patch committed, thanks!

Actions #3

Updated by Jean-Philippe Lang over 7 years ago

Holger Just wrote:

  • When deleting the anonynmous user, all its objects will be assigned to itself and the user gets deleted. While it will be automatically recreated on next access, all its issues, journals, ... will have dangling user_ids pointing to the old anonymous user.

FTR, I was not able to reproduce this behaviour as AnonymousUser#destroy does nothing and returns false.

Actions #4

Updated by Holger Just over 7 years ago

Ah, because AnonymousUser#destroy is indeed overwritten to do nothing (i.e. just return false). All the hooks would still run which might have unwanted consequences, thus stis patch is still absolutely warranted.

Actions

Also available in: Atom PDF