[drupal-devel] [bug] Bypass access via comments

Anonymous drupal-devel at drupal.org
Sun Mar 20 08:48:50 UTC 2005


Issue status update for http://drupal.org/node/19009

 Project:      Drupal
 Version:      cvs
 Component:    comment.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  chx
 Reported by:  nazadus
 Updated by:   Anonymous
 Status:       patch

The discovery of this patch makes me wonder, whether we shouldn't
centralize the access controll a bit more.
If a core module can show this kind of bug, contrib modules will almost
certainly.  I propose to do a node_access() check inside node_load.
Gerhard


Anonymous



Previous comments:
------------------------------------------------------------------------

March 16, 2005 - 19:39 : nazadus

I believe I have found a bug.
If you goto http://www.etherpunk.com/comment/reply/180  (possibly NSFW)
it allows you to view the posting (while you don't have permission to
actually post, it still allows the page to get displayed).
I found this out by using awstats on my box and found that a hidden
page was getting hit fairly common that I really don't want getting
shown (well, it's on the web, I know... but... I'd rather have more
controlled access).
Does this belong in the comment section for not obeying TAC?
Can anyone confirm this on their site?
Kenny


------------------------------------------------------------------------

March 16, 2005 - 20:02 : pyromanfo

That's definitely something you need to take up with the comment module
guys.  It's not just taxonomy access control either, it's the core
node_access hooks in Drupal.  If they'll just check that before
displaying a node for reply, that'd fix it no problem.


------------------------------------------------------------------------

March 16, 2005 - 20:20 : moshe weitzman

filed under comment.module ... note that my big comment patch gets rid
of this page entirely (consolidates under comment/edit) so it might
make sense to apply my patch instead of fixing this.


------------------------------------------------------------------------

March 20, 2005 - 02:14 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access.patch (1.36 KB)

moshe , http://drupal.org/node/18656 this does not seem to affect the
permissions of the comment/reply path.
I think the approach I have taken is blatantly simple: literally check
for access.


------------------------------------------------------------------------

March 20, 2005 - 02:24 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_0.patch (1.51 KB)




------------------------------------------------------------------------

March 20, 2005 - 02:37 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_1.patch (1.56 KB)




------------------------------------------------------------------------

March 20, 2005 - 02:38 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_2.patch (1.56 KB)







More information about the drupal-devel mailing list