Current-access handler only checks the admin permission:

function rules_config_access($op, $rules_config, $account = NULL) {
  return user_access('administer rules', $account);
}

We need to take into account though, whether a user is allowed to edit a config there. As the validation handler checks $config->access() I don't think this qualifies as security vulnerability, still we really should fix this -> marking as release blocker.

CommentFileSizeAuthor
#1 rules_config_access.patch17.72 KBfago

Comments

fago’s picture

Component: Rules Core » Rules Engine
Status: Active » Fixed
StatusFileSize
new17.72 KB

ok, I've implemented that: Patch attached.
I also improved the access system in general + improved the UI to don't show not accessible configurations or conditions/actions/events to be added.

Includes a smallAPI change:
The function signature of RulesPluginUI::getOptions() has been changed. It now just takes the "item_type" instead of the hook name as first argument:

-  return RulesPluginUI::getOptions('data_info');
+  return RulesPluginUI::getOptions('data');

Committed.

Automatically closed -- issue fixed for 2 weeks with no activity.