There is some inconsistency in displaying pages of tracker module.

if you have default settings for anonymous users, only the 'access content' permission is enabled, then

example.com/tracker - accessible
example.com/tracker/all - access denied

The menu item "Recent Posts" can be disabled, but the /tracker link is still accessible.

The tracker module should have own permissions.
But for drupal6 it would be enough for me if /tracker link would work as /tracker/all, meaning not accessible for anonymous user per default..

CommentFileSizeAuthor
#7 tracker.module.txt2.78 KBtracerul
#1 tracker.module-D7-20-03-08.patch394 bytesricabrantes

Comments

ricabrantes’s picture

ricabrantes commented
Version: 6.x-dev » 7.x-dev
Assigned: Unassigned » ricabrantes
Status: Active » Postponed (maintainer needs more info)
StatusFileSize
new tracker.module-D7-20-03-08.patch394 bytes

This bug is active in the D7.x-dev and the error happens on the tracker.module

In the "tracker" menu the permission is present according the "access content", and that makes sense. because on allowing the content view, it also should allow the tracker, because it is a complement module. In the case of "tracker/all" menu, the permission only allows access to authenticated users, but both menus return the exactly same results.

This patch sets the permission of "tracker/all" equal to the used on "tracker" and can be applied to D7 and D6.

magico’s picture

magico commented
Status: Postponed (maintainer needs more info) » Needs review
gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Status: Needs review » Closed (duplicate)

Drupal 6.2 was released in the meantime and fixed this security issue.

amir simantov’s picture

amir simantov commented

@Gábor - Why isn't the fix in 6.14? 6.x is dev, not release.

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented
Category: bug » feature
Priority: Minor » Normal
Status: Closed (duplicate) » Needs review

There is only one code repository for Drupal 6, and it gets released sometimes.

But you are right this issue is not fixed. The /tracker path still uses the basic "access content" permission. I do not want anonymous access for this path.

Status: Needs review » Needs work

The last submitted patch failed testing.

tracerul’s picture

tracerul commented
Version: 7.x-dev » 6.14
Assigned: ricabrantes » tracerul
Status: Needs work » Needs review
StatusFileSize
new tracker.module.txt2.78 KB

I made some modifications in tracker module for recent posts link with permissions for anonymous or register users and i want to share with you.I hope to help you.Just rename tracker.module.txt to tracker.module.Overwrite old file with this on server.Deactivate tracker module and reactivate it.I think it`s work fine now.I wait yours comments.Scuse me for my bad english.And backup your files :)

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented
Version: 6.14 » 7.x-dev
Status: Needs review » Needs work
shady_gun’s picture

shady_gun commented
Status: Needs work » Needs review

#1: tracker.module-D7-20-03-08.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, tracker.module-D7-20-03-08.patch, failed testing.

Nephele’s picture

Nephele commented
Assigned: tracerul » Unassigned
Status: Needs work » Fixed

This issue was fixed at some point in the last three years (see #3), so I'm changing the status to fixed.

Specifically, I've confirmed (in Drupal 7) that anonymous users can access both tracker and tracker/all. Furthermore, the line of code that the patch in #1 tries to remove no longer exists in the code.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.