A user without privileges to view a field, may see the content of a field via diff.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

amitaibu’s picture

Project: Diff » Content Construction Kit (CCK)
Component: Code » General

This is actually a CCK issue.

(p.s. please add diff to CCK component).

amitaibu’s picture

Assigned: Unassigned » amitaibu
Status: Active » Needs review
FileSize
1.1 KB

And here's the patch.

markus_petrux’s picture

FileSize
931 bytes

Curiously enough I reported this issue to the Drupal security team a week or so ago. They concluded it could be resolved in the CCK queue and no additional action would be needed. In the meantime, I was discussing with yched and KarenS what to do next...

@Amitaibu: your patch is not correct as CCK provides a function for this: content_access().

Attached is the patch that will be committed to CVS, and I guess it will happen asap.

amitaibu’s picture

Thanks, indeed, only after submitting the patch I realized it might be a security issue. Anyway, thanks for the re-roll.

markus_petrux’s picture

Status: Needs review » Fixed

Committed to CVS (branches CCK2 and CCK3).

Soon to be released as CCK 2.5.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.