I have fixed the bug that the admin view of this module can be accessed by all people. Now the admin user must assign *view invitation permission* permission to the users who what to see the admin view.

Please check out the newest code of the branch 7.x-1.x.

Thank you.

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Thanks for starting this issue. I've added it to the project page so any interested parties can coordinate here.

The most recent change is http://drupalcode.org/project/invitation.git/blobdiff/a7047848cff93ad83d...

That permission is not declared anywhere meaning that only uid1 can view the view which seems like a mistake.

By the way, please review the guidelines for how to format your commit messages.

  • Commit 73c7cf6 on 7.x-1.x by chinabruce: 
    Issue #2235593 by chinabruce, greggles: Fixed the bug that only uid 1...
bdsupport’s picture

bdsupport commented

Fixed the mistake.

The change is
http://drupalcode.org/project/invitation.git/blobdiff/af86c8de56b4a86608...

Then the admin can assign permissions to any role who what to view the invitation user list.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Looks good to me. I tested this out on simplytest.me and it seems to work. It would be good to get verification that this fixes the security issue from another person.

How about writing a simpletest as well that creates a few invitations and confirms the path is not accessible to anonymous?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Needs review » Needs work
Issue tags: -#security

Comment #4 indicates that this needs work for a simpletest.