Updated: Comment #0

Problem/Motivation

Modules querying the node tables should check the user has access to the node before displaying the title.
The module mimics some of the 'admin/content/node' functionality but doesn't add the 'node_access' tag to the query used to fetch the list of content.
This would allow users to view the title of a node that they had previously imported but might no longer have access to.
Eg the module only checks the presence of the node in $_SESSION['bulk_media_upload_batch_result']['ids'] but the user might upload the files to a node and then someone else might modify them, adding access controls and a sensitive title that the original uploader might not be expected to view.
Yeah its a long shot, but its a one line fix and given advisories like this, better to fix it now than when a full-release comes around.

Proposed resolution

Add the 'node_access' tag to the query.
See Forum module (first line) for an example.
Basically you need to add

->addTag('node_access')

To the query and thats it.

Remaining tasks

Write the patch
Test and review

User interface changes

Users only see nodes they should have access to

API changes

None

None

Thanks for this module btw, code is nice to read.

CommentFileSizeAuthor
#1 bulk_media_upload-node_access_tag-2077497-1.git_.patch429 bytesrudolfbyker
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

rudolfbyker’s picture

rudolfbyker
Primary language Afrikaans
Location South Africa
CreditAttribution: rudolfbyker commented
Issue summary: View changes
Priority: Minor » Normal
Status: Active » Needs review
FileSize
bulk_media_upload-node_access_tag-2077497-1.git_.patch429 bytes

Here is a patch. Please review.