Download & Extend
Content Construction Kit (CCK) » Issues

Diff doesn't respect cck permissions

Posted by Amitaibu on August 3, 2009 at 4:29pm
Project:Content Construction Kit (CCK)
Version:6.x-2.x-dev
Component:General
Category:bug report
Priority:normal
Assigned:Amitaibu
Status:closed (fixed)

Issue Summary

A user without privileges to view a field, may see the content of a field via diff.

Login or register to post comments

Comments

#1

Posted by Amitaibu on August 3, 2009 at 4:34pm
Project:Diff» Content Construction Kit (CCK)
Version:6.x-2.x-dev» 6.x-2.x-dev
Component:Code» General

This is actually a CCK issue.

(p.s. please add diff to CCK component).

#2

Posted by Amitaibu on August 3, 2009 at 4:45pm
Assigned to:Anonymous» Amitaibu
Status:active» needs review

And here's the patch.

AttachmentSize
cck-diff-1.patch 1.1 KB

#3

Posted by markus_petrux on August 3, 2009 at 5:09pm

Curiously enough I reported this issue to the Drupal security team a week or so ago. They concluded it could be resolved in the CCK queue and no additional action would be needed. In the meantime, I was discussing with yched and KarenS what to do next...

@Amitaibu: your patch is not correct as CCK provides a function for this: content_access().

Attached is the patch that will be committed to CVS, and I guess it will happen asap.

AttachmentSize
content_diff_access.patch 931 bytes

#4

Posted by Amitaibu on August 3, 2009 at 6:11pm

Thanks, indeed, only after submitting the patch I realized it might be a security issue. Anyway, thanks for the re-roll.

#5

Posted by markus_petrux on August 3, 2009 at 8:51pm
Status:needs review» fixed

Committed to CVS (branches CCK2 and CCK3).

Soon to be released as CCK 2.5.

#6

Posted by System Message on August 17, 2009 at 9:00pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here