hi!,

workflow tab access is granted by function workflow_node_tab_access when:

- node type has a workflow associated, and
- user is in an allowed role established on /admin/build/workflow/edit/, or
- user can administer nodes

so, any user can access workflow history when has no view or update access to a node at all, simply typing the workflow history URL (/node//workflow)

I think it may supose a security issue in some cases. I made a simply patch for my site, may help someone in the same situation.

CommentFileSizeAuthor
#8 785194.patch1.3 KBnancydru
wf_only_if_nodeaccess.patch597 bytesmanuel.adan

Comments

arcall’s picture

arcall commented

adan,

It took me a while to find your post, but god, you saved mw a lot of time. It's working perfectly,

Thank you very much.

manuel.adan’s picture

manuel.adan
Location 🌌
commented
Version: 6.x-1.4 » 6.x-1.5
Category: feature » bug

You're wellcome arcall. Really this is a bug, anyone with edit workflow access has whole workflow access in the website.

manuel.adan’s picture

manuel.adan
Location 🌌
commented
Priority: Normal » Major

Near three years later, this (security) bug is still open and patch not ported to dev branch...

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented
Status: Needs review » Fixed

Even though I am not working on the 6.x-1.x branch, I committed your patch (sorry, in the rush, I forgot the attribution).

If this could truly be considered a security fix, please see How to report a security issue.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

Committed to 7.x-1.x branch, with attribution.

tte’s picture

tte commented
Status: Fixed » Active

I don't think this is the right approach. In fact, it breaks (my) workflow functionality when following this "revisioning"/"workflow" model here: http://drupal.org/node/408052 (list item 8, 'important' notice).

Checking for additional "revisioning" related permissions isn't quite useful either, as you can use lots of individual permission sets, resulting in too many checks.

As an alternative, we could implement an additional "view workflow history" permission and only show the workflow tab, as long as this permission or the already existing "schedule workflow transitions" permission is set for the current user.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

Actually, you are right. On the workflow configuration, there is a section "Workflow tab permissions" that governs which nodes show the tab. In what way is that not an adequate solution already? This patch hits that same code.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented
Status: Active » Needs review
StatusFileSize
new 785194.patch1.3 KB

This is a patch for the 7.x branch, but should be fairly close to the 6.x code as well.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented
Status: Needs review » Fixed

Committed to both 6.x-1.x and 7.x-1.x

Status: Fixed » Closed (fixed)
Issue tags: -Security, -workflow, -access content

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security, +workflow, +access content

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.