I just noticed some user can see other payments (even if they doesn't have that permission). I found this problem in payment_access function:

      return user_access('payment.payment.' . $operation . '.any', $account) || $payment && user_access('payment.payment.' . $operation . '.own', $account) && $account->uid = $payment->uid;

$account->uid == $payment->uid should be the correct sintaxis.

This cause some session exchange between my users, so I think this is critical.

Comments

xano’s picture

xano
he/they
Primary language English
Location Southampton
commented
Assigned: Unassigned » xano
Status: Active » Fixed

This issue was fixed in collaboration with the security team. See SA-CONTRIB-2013-002 for more details.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

xano’s picture

xano
he/they
Primary language English
Location Southampton
commented
Assigned: xano » Unassigned