Incomplete authorization checks [#1856590]

The authorization checks for the actual to do list are incomplete. Consequently, all content is world-readable via /mytinytodo/page?fid=1, regardless of the settings of the nodes that a to do list is attached to.

Comments

Comment #1

fizk commented 7 December 2012 at 05:57

Status:

Active

» Fixed

Fixed: http://drupalcode.org/project/mytinytodo.git/commitdiff/23b0fb5ee93a14ac...

Please let me know if this works for you. Requires Field Permissions.

Comment #2

ralphb commented 11 December 2012 at 09:31

Hello fizk,

Thanks for the patch. It does work, I suppose, but I'm not too happy about the dependency on Field Permissions. That module hasn't been touched for almost a year and shows many open issues, many of them very recent. I'm also not sure that checking permission on the field level is the right granularity.

On my site I'm using Content Access (which, admittedly, is as poorly maintained as Field Permissions), but there are other modules out there. Wouldn't it make more sense to base access checks on the page/content level? I only had a quick look at the code but this seems to be the approach for checking write access anyway.

Comment #3

25 December 2012 at 09:40

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #4

fizk commented 13 October 2013 at 04:27

That makes sense. I've changed the code to check for field_access() and node_access().

If field_access(), which is implemented by field_permissions and can be modified via hook_field_access(), returns true and node_access() returns true, then permission to view/edit the todo list is granted.

http://drupalcode.org/project/mytinytodo.git/commit/5dd6d0c84766bd398107...

Incomplete authorization checks

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community