Download & Extend
Insert Block » Issues

Block module visibility settings are bypassed.

Posted by sandie on July 24, 2011 at 8:15am
Project:Insert Block
Version:7.x-1.x-dev
Component:Code
Category:feature request
Priority:major
Assigned:mlsamuelson
Status:closed (fixed)
Issue tags:insert_block visibility

Issue Summary

Helo,

I've create a custom block with contain simple html link to other page, I set visibility for anonymous users only. But after I login, the insert_block filter still render the block and visible to authenticated user. I try to set PHP block visibility with use !$user->uid as return TRUE value and set permission to anonym to use PHP block visibility permission, but with no luck, the block still rendered when i login. But when the block I try to put on left sidebar, it's working normaly.

Any advice? I'm just web designer with no experiences with module development.

Thank you.

Login or register to post comments

Comments

#1

Posted by Alan D. on February 19, 2012 at 5:27pm
Title:Something miss with block visibility» Block module visibility settings are bypassed.
Version:6.x-1.x-dev» 7.x-1.x-dev
Priority:normal» major

Increasing to major as it could be considered a security hole bypassing what most users see as a restriction that is bypassed.

The following patch adds a role setting to the filter, allow you to decide if you want to enforce the role checking. I think that the other filters are pointless as the user preference is optional restriction, and page settings are pointless when embedding in content.

AttachmentSize
insert_block-add-role-checking.patch 3.85 KB

#2

Posted by mlsamuelson on February 20, 2012 at 5:42pm

Aw, you are right Alan. I should have noticed the importance of this limitation of the module. My bad. An initial visual review of your patch looks good. I'll see if I can carve out the time to test it this week, and roll out updates for both Insert Block 7.x and 6.x.

In the meanwhile, due to this consideration, I've added a security note to the module description. We went through something similar with the Insert View module a few months back, and that was the recommendation of the security team, so I want to do right here, too.

#3

Posted by mlsamuelson on March 2, 2012 at 8:06pm
Assigned to:Anonymous» mlsamuelson
Status:active» fixed

Tested the patch. Works great. Committed to 7.x-1.x branch.

Taking a cue from Alan D.'s patch, I was able to implement an identical (in the UI, at least) update for the 6.x-1.x branch. Committed.

Thanks Alan D.!

#4

Posted by Alan D. on March 3, 2012 at 12:48pm

Glad to help :)

#5

Posted by System Message on March 17, 2012 at 12:50pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.