pencil icon appears despite not being logged in - upgrade from 9.x to 10.1.0.7092

When you open the menu as an anonymous user, what do yo have access to? That should identify the permissions that should be revoked to prevent the pencil from showing. The icon shows if the accessing user has permission to perform any managerial actions.

"Administration" appears in the list, but when you click on it it redirects to the login page.

What permissions are granted to the Everyone role and is the Anonymous user in any other roles?

Everyone as Read Site permission and Anonymous user is only in Everyone role (when looking at the administration interface.

We've run the following query in both the old and the new databases and the results are different. The old database has no results in the cs_Security_NodePermissions table whereas the new (upgraded) database has lots of results:

--Have these roles been granted any special permissions
select * from cs_Security_NodePermissions
where RoleId in (select RoleId from cs_Security_UserRoles where UserId = (select UserId from cs_users where IsAnonymous =1))

NodeId RoleId IsAllowed PermissionId
46943F19-146F-4689-B14C-6225DF46792F 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
08EF2503-9C22-4407-94E1-9826343015E0 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 4ECFE6C1-7BEF-450F-B823-0B099CE9F8E9
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 904172B1-6424-461F-8596-155CA9CE8687
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 5F31F03A-1E5D-4E68-AAFB-1BE9D8D03160
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 C6A0ADC7-DBA7-43E3-9B66-41D78BB98552
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 0898A3BD-CD57-45CE-9708-7D458D17E255
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 86594DFA-AACE-4F0F-BB5D-9A0B6C6993A6
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 41407D79-E3BA-4E25-8F54-A1650B8C72D0
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 4EC7CD6D-0DAA-4E4C-9EBA-B13D33143964
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 F0A00173-E22B-4A0E-BDD6-B4758CD3FF7B
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 BDB203A9-9D1D-4CEB-8E7E-BC37C96B25CE
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 F57FAD16-097A-49B1-B43A-CBC228F7324B
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 89E7B8B4-9B79-45E2-B537-CE6C1EDD9E27
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 16B1A200-2966-468C-9077-E9DE71BA6056
4D39F81E-C35E-4E5A-865D-E2762408B85C 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
4D39F81E-C35E-4E5A-865D-E2762408B85C 1 1 BDB203A9-9D1D-4CEB-8E7E-BC37C96B25CE

That's interesting.  Here are the mentioned permissions:

• F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF: Rate Posts
• F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF: Rate Posts
• 4ECFE6C1-7BEF-450F-B823-0B099CE9F8E9: Edit Comments
• 904172B1-6424-461F-8596-155CA9CE8687: Manage Custom Pages
• 5F31F03A-1E5D-4E68-AAFB-1BE9D8D03160: Attach URLs
• C6A0ADC7-DBA7-43E3-9B66-41D78BB98552: Moderate and Review Abuse
• 0898A3BD-CD57-45CE-9708-7D458D17E255: Delete Comments
• F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF: Rate Posts
• 86594DFA-AACE-4F0F-BB5D-9A0B6C6993A6: Manage Blog
• 41407D79-E3BA-4E25-8F54-A1650B8C72D0: Manage Blog Theme
• 4EC7CD6D-0DAA-4E4C-9EBA-B13D33143964: Delete Posts
• F0A00173-E22B-4A0E-BDD6-B4758CD3FF7B: Edit Posts
• BDB203A9-9D1D-4CEB-8E7E-BC37C96B25CE: Create Comments
• F57FAD16-097A-49B1-B43A-CBC228F7324B: Attach Uploaded Files
• 89E7B8B4-9B79-45E2-B537-CE6C1EDD9E27: Create Posts
• 16B1A200-2966-468C-9077-E9DE71BA6056: Bypass Validation
• F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF: Rate Posts
• BDB203A9-9D1D-4CEB-8E7E-BC37C96B25CE: Create Comments

The Moderate and Review Abuse grant would cause the Administration option to be available which is probably why you're seeing the pencil icon.

The following query will identify the role that grants the Moderate and Review Abuse permission:

select r.Name
from cs_Security_NodePermissions p
inner join cs_Security_Roles r on p.RoleId = r.RoleId
where p.PermissionId = 'C6A0ADC7-DBA7-43E3-9B66-41D78BB98552'
	and r.RoleId in (
		select RoleId 
		from cs_Security_UserRoles
		where UserId = (select UserId from cs_users where IsAnonymous =1)
		)

I've cleared the entire cs_Security_NodePermissions table, did an IISRESET and the pencil icon is still there.
The only records in that table were for RoleId == 1 / Everyone.

Ok - so I've "worked around" this issue but it isn't ideal... Please let me know if you know why this happened during the upgrade and how to resolve it "properly"?

delete from Community.dbo.cs_Security_EffectivePermissions
where PermissionId='C6A0ADC7-DBA7-43E3-9B66-41D78BB98552' and RoleId=1

Original contents:

NodeId RoleId IsAllowed IsImmediate PermissionId
A5A630EC-395A-48BD-8C43-97F5AAE80F74 1 1 0 C6A0ADC7-DBA7-43E3-9B66-41D78BB98552
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 1 C6A0ADC7-DBA7-43E3-9B66-41D78BB98552

If you run this query, you'll be able to determine the context for this permission being granted (the NodeId and NodeTypeId/ApplicationTypeId in the result should identify the application/group that granted this permission):

select *
from cs_Nodes
where NodeId in ('A5A630EC-395A-48BD-8C43-97F5AAE80F74', 'FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61')

Is it possible that the permissions were manually adjusted for 'Everyone' in the scope identified by the result of this query? Or are you pretty certain it was only the upgrade that modified permissions since your last-known-good state?

We have the 9.1 database still available to review the tables and the NodePermissions table was empty prior to the upgrade. The query you just provided also shows 2 rows in upgraded DB but 0 rows in 9.1 db

I was just asking if its possible that a permission change was made post-upgrade. 

What is the NodeTypeId / ApplicationTypeId for the two returned rows?