A user without privileges to view a field, may see the content of a field via diff.

CommentFileSizeAuthor
#3 content_diff_access.patch931 bytesmarkus_petrux
#2 cck-diff-1.patch1.1 KBamitaibu

Comments

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented
Project: Diff » Content Construction Kit (CCK)
Component: Code » General

This is actually a CCK issue.

(p.s. please add diff to CCK component).

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented
Assigned: Unassigned » amitaibu
Status: Active » Needs review
StatusFileSize
new cck-diff-1.patch1.1 KB

And here's the patch.

markus_petrux’s picture

markus_petrux commented
StatusFileSize
new content_diff_access.patch931 bytes

Curiously enough I reported this issue to the Drupal security team a week or so ago. They concluded it could be resolved in the CCK queue and no additional action would be needed. In the meantime, I was discussing with yched and KarenS what to do next...

@Amitaibu: your patch is not correct as CCK provides a function for this: content_access().

Attached is the patch that will be committed to CVS, and I guess it will happen asap.

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented

Thanks, indeed, only after submitting the patch I realized it might be a security issue. Anyway, thanks for the re-roll.

markus_petrux’s picture

markus_petrux commented
Status: Needs review » Fixed

Committed to CVS (branches CCK2 and CCK3).

Soon to be released as CCK 2.5.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.