While salesforce_api module correctly check if the user have access to the permission "administer salesforce" before displaying the message if we are unable to connect to salesforce, sf_entity does not check that.

That could lead to the message being displayed to any user on the website.

Comments

haza’s picture

Status: Active » Needs review
StatusFileSize
new2.66 KB

Patch attached.

kostajh’s picture

Status: Needs review » Needs work

Incorrect parameters are passed to drupal_set_message in this patch (see http://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_...) and there's a typo as well towards the end.

aaronbauman’s picture

Status: Needs work » Fixed

modified version committed 7008cc60

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.