SA-CORE-2016-002: Patch user module vulnerability that sometimes grants the user all ro…

[ashalan]

…les on save

[dsnopek]

Several members of the Drupal security team attempted to reproduce this security issue on Drupal 6 and were unable to - that's why the Drupal 6 Long-Term Support vendors didn't release a patch. Here's a short excerpt from the comments on the private issue on security.drupal.org:

on 6.37 I have created a new site, enabled a custom module, added a new role, added a new user. Logged in as the new user in a new browser, edited the account, [...] confirmed that the DSM is displayed, submitted again. As uid 1 I confirmed that the new user did not get the new role.

A difference between D7 and D6 is that D6 completely omits the role section if the user does not have the 'administer permissions' permission.

So, I don't think this fix is necessary!

[ashalan]

Noted. Thanks for the prompt response @dsnopek !!