Hi,
I know this module isn't quite maintained anymore, but I think this issue should be considered whenever development restarts.
In the hook_menu() of apis modules (ex : charts_graphs_amcharts_menu()), the access argument is access content.
This a basic permission that probably works well for most sites.
But when working on a restricted website with sometimes private data, this is is an insufficient security level.
I think then the access to this data should follow the access defined in the view.
For now, even if I have no access to the page that displays the chart, I can still get the data with the appropriate URL :
http://mysite.com/charts_graphs_amcharts/getdata/data?cid=chgr_5c75b3f9c6331cabbc12ca07c5c5107d
And this data may be private.
I hope this could help increase the privacy of data.
Cheers,
Comments
Comment #1
ludo.rChanging priority as this is a major feature request.