Patch #25483
closed
Forbid to edit/update/delete the anonymous user
0%
Description
Right now, an admin can (in principal) edit and even delete the Anonymous user via the UserController since it doesn't restrict its query to logged users. This should not be possible and doesn't seem to be intended from the surrounding code:
- When showing the edit form for the anonymous user, a template error occurs in
app/views/users/_general.html.erb. - When deleting the anonynmous user, all its objects will be assigned to itself and the user gets deleted. While it will be automatically recreated on next access, all its issues, journals, ... will have dangling
user_idspointing to the old anonymous user.
The attached patch restricts edit/update/delete of users to logged users. Displaying the user page of Anonymous is still supported. The Patch was extracted from Planio.
Files
Updated by Go MAEDA over 7 years ago
- Target version set to 3.4.0
Confirmed the problem. Setting target version to 3.4.0.
Thank you for sharing the patch.
Updated by Jean-Philippe Lang over 7 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
Patch committed, thanks!
Updated by Jean-Philippe Lang over 7 years ago
Holger Just wrote:
- When deleting the anonynmous user, all its objects will be assigned to itself and the user gets deleted. While it will be automatically recreated on next access, all its issues, journals, ... will have dangling
user_idspointing to the old anonymous user.
FTR, I was not able to reproduce this behaviour as AnonymousUser#destroy does nothing and returns false.
Updated by Holger Just over 7 years ago
Ah, because AnonymousUser#destroy is indeed overwritten to do nothing (i.e. just return false). All the hooks would still run which might have unwanted consequences, thus stis patch is still absolutely warranted.