The Views module has a security hole where a default view is viewable by anonymous users. the "Access:" field should respect the access_content permission of the nodes that it displays.

If the "Access:" field is set to default, For each node in a view, check to see if the user has access to view the node.

Currently the default value is "unrestricted" but should probably be "based on nodes", so I beleive the bug is:

1) Change the default value for a new view's "Access:" property to "based on nodes"
2) When "based on nodes"s is chosen, do a permission check to see if each node in the view is accessible.

Comments

merlinofchaos’s picture

merlinofchaos commented
Status: Active » Closed (won't fix)

All view queries pass through db_rewrite_sql which restricts nodes via node_access rules. #2 is definitely not necessary, this already happens, assuming you're using a 'node' view. If you're using something other than a node view that happens to bring in nodes, you have to add node access filters yourself. This cannot be done automatically.

If you desire 'access content' permission on your view, you should add that. I don't consider this a security hole, this is a misconfiguration. It is the same kind of misconfiguration as adding 'full html' filters to anonymous users. In fact, it can be quite useful to have views that special case the permissions, so automating 'access content' on views would be unnecessarily restrictive.