Download & Extend
Content Management Filter » Issues

Hide non accessible things from user

Posted by maulwuff on November 14, 2009 at 5:17pm
Project:Content Management Filter
Version:6.x-2.0
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

There are multiple problems with visibility

Roles
A user can filter by roles, which he is not granted. Lets say there is a Admin role, and a user which is not in that role (and not #1) is able to see this role in the drop down.

Content types
A user can filter by content type to which he has no rights to edit/create/delete. In my eyes it makes no sense to show these content types to the user.

Comments
Comment is visible in General settings although the module is not enabled. This breaks the site. see #632798: Site breaks if comments are disabled and filter is set to comments

Login or register to post comments

Comments

#1

Posted by maulwuff on November 14, 2009 at 5:34pm

the same is true for update actions.
- there is "update path alias" although the user has no rights on path or path auto module.
- delete and publishing options are visible, although the user can't do this on the filtered node type.

#2

Posted by Carsten Müller on November 16, 2009 at 4:10pm

Hi,

i added db_rewrite_sql() in each query in the cmf.module file, to be able to access the statements. So I'm able to restrict access to the nodes ...

It would be very nice if within the next release the module worries a little bit more about security and user rights ;-)
(see also http://drupal.org/node/632826)

AttachmentSize
cmf.module.db_rewrite_sql.patch 5.11 KB

#3

Posted by Carsten Müller on November 16, 2009 at 4:19pm

forget the patch / attachment from #2, because i forget the parameters of db_rewrite_sql()

here is the new patch:
cmf.module.db_rewrite_sql.patch

AttachmentSize
cmf.module.db_rewrite_sql.patch 4.72 KB

#4

Posted by introfini on November 26, 2009 at 11:55am

I can confirm this bug also. The co-maintainer of the last 2 releases has left the project, I will try to see what I can do.

introfini

#5

Posted by enkara on May 13, 2010 at 2:31pm

This seems to be dead, but subscribing, I think there is a lack of security

#6

Posted by NancyDru on May 13, 2010 at 2:57pm

No, I have not left the project. RealLife™ has been kicking my butt - almost into the grave. I will be back soon. But any help in the meantime is greatly appreciated.

#7

Posted by Carsten Müller on October 10, 2011 at 10:57am

Until there is a maintainer reviewing the patch, i published the latest version of the cmf module containing the patch from above:

see http://drupal.cocomore.com/project/cmf for download

#8

Posted by hillaevium on October 27, 2011 at 6:41pm

Thanks for publishing that patch Carsten! Although, I think there may be an issue with it. After downloading and installing, I noticed that cmf.module didn't seem to contain your patch - and even after manually applying the patch, users without correct permissions are still able to see content they do not have access to edit.