A user can switch to other user accounts and view their subusers by changing the URL user/1/subuser and replacing the number.

Is there a way to prevent this and only allowing the user to only view its subusers.

Comments

seanenroute’s picture

Priority: Major » Critical

I can confirm that this is still an issue and opens up a severe hole in the security of the site. By typing in /user/1/subuser anyone can take over the super user role.

lauriii’s picture

Issue summary: View changes
Issue tags: +Needs tests

I cant reproduce this. Maybe we need some tests for this?

lauriii’s picture

Priority: Critical » Normal
Status: Active » Closed (cannot reproduce)

Happily this issue doesn't exist. Please remember in the future, if you find open security issue from a module you have to report it to a separated security issue queue, not to the public issue queue. Otherwise the fix is public and the sites are in a very unsecure phase because there might not be fix available immediately.

shabam’s picture

Just a note. The reason why sites have this issue is because they have "View subusers" permission on which allows the user with those permissions to view ALL subusers. There is a patch here https://www.drupal.org/node/2542196 that corrects the wording on the permissions to clarify this.