Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
A user without privileges to view a field, may see the content of a field via diff.
Comment | File | Size | Author |
---|---|---|---|
#3 | content_diff_access.patch | 931 bytes | markus_petrux |
#2 | cck-diff-1.patch | 1.1 KB | amitaibu |
Comments
Comment #1
amitaibuThis is actually a CCK issue.
(p.s. please add diff to CCK component).
Comment #2
amitaibuAnd here's the patch.
Comment #3
markus_petrux CreditAttribution: markus_petrux commentedCuriously enough I reported this issue to the Drupal security team a week or so ago. They concluded it could be resolved in the CCK queue and no additional action would be needed. In the meantime, I was discussing with yched and KarenS what to do next...
@Amitaibu: your patch is not correct as CCK provides a function for this: content_access().
Attached is the patch that will be committed to CVS, and I guess it will happen asap.
Comment #4
amitaibuThanks, indeed, only after submitting the patch I realized it might be a security issue. Anyway, thanks for the re-roll.
Comment #5
markus_petrux CreditAttribution: markus_petrux commentedCommitted to CVS (branches CCK2 and CCK3).
Soon to be released as CCK 2.5.