Updated: Comment #0
Problem/Motivation
Modules querying the node tables should check the user has access to the node before displaying the title.
The module mimics some of the 'admin/content/node' functionality but doesn't add the 'node_access' tag to the query used to fetch the list of content.
This would allow users to view the title of a node that they had previously imported but might no longer have access to.
Eg the module only checks the presence of the node in $_SESSION['bulk_media_upload_batch_result']['ids']
but the user might upload the files to a node and then someone else might modify them, adding access controls and a sensitive title that the original uploader might not be expected to view.
Yeah its a long shot, but its a one line fix and given advisories like this, better to fix it now than when a full-release comes around.
Proposed resolution
Add the 'node_access' tag to the query.
See Forum module (first line) for an example.
Basically you need to add
->addTag('node_access')
To the query and thats it.
Remaining tasks
Write the patch
Test and review
User interface changes
Users only see nodes they should have access to
API changes
None
Related Issues
None
Thanks for this module btw, code is nice to read.
Comment | File | Size | Author |
---|---|---|---|
#1 | bulk_media_upload-node_access_tag-2077497-1.git_.patch | 429 bytes | rudolfbyker |
Comments
Comment #1
rudolfbykerHere is a patch. Please review.