/admin/settings/salesforce/fieldmap/%/edit and friends are accessible by any user (including anonymous), as the access callback function _salesforce_fieldmap_access() does not do any permission checking - it only checks whether the fieldmap name is valid.

This is critical as it means any user can edit or delete fieldmaps without permission, although mitigated by the fact the user has to know the precise fieldmap name to be able to exploit it (the fieldmap list is properly protected).

CommentFileSizeAuthor
#1 1198786-salesforce_fieldmap_access.patch480 byteslongwave

Comments

longwave’s picture

Status: Active » Needs review
StatusFileSize
new480 bytes

Patch attached.

kostajh’s picture

Thanks for catching this! I am going to commit it now and tag a new alpha release.

kostajh’s picture

Status: Needs review » Fixed
kostajh’s picture

Here's the release node for alpha8: https://drupal.org/node/1201776

Thanks again!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.