[drupal-devel] [bug] Bypass access via comments

chx drupal-devel at drupal.org
Sun Mar 20 02:14:26 UTC 2005


Issue status update for http://drupal.org/node/19009

 Project:      Drupal
-Version:      4.5.2
+Version:      cvs
 Component:    comment.module
 Category:     bug reports
 Priority:     critical
-Assigned to:  Anonymous
+Assigned to:  chx
 Reported by:  nazadus
 Updated by:   chx
-Status:       active
+Status:       patch
 Attachment:   http://drupal.org/files/issues/comment_reply_access.patch (1.36 KB)

moshe , http://drupal.org/node/18656 this does not seem to affect the
permissions of the comment/reply path.
I think the approach I have taken is blatantly simple: literally check
for access.


chx



Previous comments:
------------------------------------------------------------------------

March 16, 2005 - 20:39 : nazadus

I believe I have found a bug.
If you goto http://www.etherpunk.com/comment/reply/180  (possibly NSFW)
it allows you to view the posting (while you don't have permission to
actually post, it still allows the page to get displayed).
I found this out by using awstats on my box and found that a hidden
page was getting hit fairly common that I really don't want getting
shown (well, it's on the web, I know... but... I'd rather have more
controlled access).
Does this belong in the comment section for not obeying TAC?
Can anyone confirm this on their site?
Kenny


------------------------------------------------------------------------

March 16, 2005 - 21:02 : pyromanfo

That's definitely something you need to take up with the comment module
guys.  It's not just taxonomy access control either, it's the core
node_access hooks in Drupal.  If they'll just check that before
displaying a node for reply, that'd fix it no problem.


------------------------------------------------------------------------

March 16, 2005 - 21:20 : moshe weitzman

filed under comment.module ... note that my big comment patch gets rid
of this page entirely (consolidates under comment/edit) so it might
make sense to apply my patch instead of fixing this.





More information about the drupal-devel mailing list