Project

General

Profile

Actions

Patch #25483

closed

Forbid to edit/update/delete the anonymous user

Added by Holger Just over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Right now, an admin can (in principal) edit and even delete the Anonymous user via the UserController since it doesn't restrict its query to logged users. This should not be possible and doesn't seem to be intended from the surrounding code:

  • When showing the edit form for the anonymous user, a template error occurs in app/views/users/_general.html.erb.
  • When deleting the anonynmous user, all its objects will be assigned to itself and the user gets deleted. While it will be automatically recreated on next access, all its issues, journals, ... will have dangling user_ids pointing to the old anonymous user.

The attached patch restricts edit/update/delete of users to logged users. Displaying the user page of Anonymous is still supported. The Patch was extracted from Planio.


Files

Actions

Also available in: Atom PDF