Hi,

I know this module isn't quite maintained anymore, but I think this issue should be considered whenever development restarts.

In the hook_menu() of apis modules (ex : charts_graphs_amcharts_menu()), the access argument is access content.

This a basic permission that probably works well for most sites.
But when working on a restricted website with sometimes private data, this is is an insufficient security level.

I think then the access to this data should follow the access defined in the view.

For now, even if I have no access to the page that displays the chart, I can still get the data with the appropriate URL :
http://mysite.com/charts_graphs_amcharts/getdata/data?cid=chgr_5c75b3f9c6331cabbc12ca07c5c5107d

And this data may be private.

I hope this could help increase the privacy of data.

Cheers,

Comments

ludo.r’s picture

Priority: Normal » Major

Changing priority as this is a major feature request.