Notes of content type 'campaign' are viewable by anyone, even anonymous users. It looks like this is because the activism_campaign_access() function simply returns a value of TRUE if $op == 'view'. Rather than simply return a value of true, it needs to test whether the user has appropriate permissions. I put together the attached patch using some code adapted from the node module's node_access() function.

CommentFileSizeAuthor
activism.patch.txt1.61 KBsheldon rampton

Comments

drumm’s picture

Issue summary: View changes
Issue tags: +Security

There are no supported releases of this project, so security issues may be public.