mmafe
commented
1 year ago @tqureshi-uog I was able to remove the update and delete options from Anonymous users in the ug_permit module. Could this work: https://github.com/ccswbs/hjckrrh/pull/954
That way, existing users can still use the module (and deny anonymous users access to certain pages) but they're no longer able to give anonymous users the update and delete permission.
The
ug_permitmodule has serious security implications since clients can inadvertently grant Anonymous users the ability to update and delete content. Because theug_permitmodule is a dependency for others, it cannot be disabled outright. An alternative solution is to remove the ability to set its permissions from all Drupal roles except the super user. To do this, theug_rolefeature had to be updated. Once this change is merged, site managers, authors, and editors will no longer have access to the Permissions tab on the node edit screen.