search_attachment and node access
geilner - July 1, 2009 - 15:39
| Project: | Search Files |
| Version: | 6.x-2.0-beta4 |
| Component: | Search Attachments |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
The search_attachments module displays all the attached documents where the querystring is found, even the documents attached to nodes that the user hasn't got the permission to view.
Example : in my site, an anonymous user can see can find and see attached documents to private nodes.
I use the taxonomy access control to handle the node access.
#1
#2
Subscribing
I have installed node_access as well as search_files. I created a content type called PDF and generally granted all roles other than anonymous permission to search files. But I have posted specific pdf files that only organization leaders and administrators may view. The nodes are not visible to anyone else, but a low-level authorized user who searches files gets a list of attached files and can view those files.
This is an important security issue.
#3
When this feature will be added? I really need it. I use the module "content access" (http://drupal.org/project/content_access).
Thanks!
#4
#5
I would also appreciate this feature.
#6
Tracking. Very important that it respect access control.
#7
Will this feature be compatible with "Private Upload" module (http://drupal.org/project/private_upload)? It's important for me!
#8
Should this be considered a security issue? (Private data is being made available publicly in the current version of the module.)
#9
It's a security bug. Tracking it.
#10
Subscribe