Drupal 6.17
Panels 3.7
Ctools 1.7
jQueryUI 1.3

With the above only installed on a fresh drupal install and the IPE module enabled, if a panel node has the IPE option chosen it give anonymous access to the IPE interface which lets them edit the panel content just as if they were logged in! (see attached screenshot)

CommentFileSizeAuthor
#3 871730-panels-ipe-panel-node-permission.patch1.07 KBmerlinofchaos
IPE.jpg77.6 KBcodewatson
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented

Did you give the anonymous user the use ipe permission?

codewatson’s picture

codewatson CreditAttribution: codewatson commented

No, the only permission anonymous has is view content, and i dont think i see any permissions for the IPE in the first place?

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Active » Needs review
FileSize
871730-panels-ipe-panel-node-permission.patch1.07 KB

Try this patch.

codewatson’s picture

codewatson CreditAttribution: codewatson commented

That appears to have done the trick.

damiandab’s picture

damiandab CreditAttribution: damiandab commented

thanks for the patch , it solved the problem :)

damiandab’s picture

damiandab CreditAttribution: damiandab commented

@ dwatson permissions for the IPE: panels module >> use panels in place editing

codewatson’s picture

codewatson CreditAttribution: codewatson commented

Ah, i must be blind, thanks!

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Needs review » Fixed

Committed to -dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

xtfer’s picture

xtfer CreditAttribution: xtfer commented

Should this get a security update? This is a rather large security hole.