Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I just noticed some user can see other payments (even if they doesn't have that permission). I found this problem in payment_access function:
return user_access('payment.payment.' . $operation . '.any', $account) || $payment && user_access('payment.payment.' . $operation . '.own', $account) && $account->uid = $payment->uid;
$account->uid == $payment->uid should be the correct sintaxis.
This cause some session exchange between my users, so I think this is critical.
Comments
Comment #1
XanoThis issue was fixed in collaboration with the security team. See SA-CONTRIB-2013-002 for more details.
Comment #3
Xano