Issue 15442
Anonymous user have access to server and php session information
15442
Reporter: bko
Assignee: cvizitiu
Type: Bug
Summary: Anonymous user have access to server and php session information
Priority: Major
Resolution: Fixed
Status: Closed
Created: 2014-03-25 17:13:27.458
Updated: 2014-03-26 13:30:09.107
Resolved: 2014-03-26 13:08:16.279
Description: We have information like this exposed to anonymous users:
http://www.gbif.org/devel/phpinfo
http://www.gbif.org/devel/field/info
This is resulted from the permission settings on Drupal as the attached image.]]>
Attachment devel in permission.png
Author: bko@gbif.org
Created: 2014-03-25 17:23:01.851
Updated: 2014-03-25 17:23:20.456
[~cvizitiu@gbif.org] I am bringing this to your attention. The devel for anonymous and authenticated user should be turned off ASAP. For other roles they are somehow locked, which we'll need to fixed or alter from the code I guess.
I so far haven't located any user_role_*_permission() in our custom modules so we need to investigate the way to change that for the rest of the roles. I think only Admin should be granted the permission.