[drupal-devel] [bug] Bypass access via comments
Anonymous
drupal-devel at drupal.org
Sun Mar 20 08:48:50 UTC 2005
Issue status update for http://drupal.org/node/19009
Project: Drupal
Version: cvs
Component: comment.module
Category: bug reports
Priority: critical
Assigned to: chx
Reported by: nazadus
Updated by: Anonymous
Status: patch
The discovery of this patch makes me wonder, whether we shouldn't
centralize the access controll a bit more.
If a core module can show this kind of bug, contrib modules will almost
certainly. I propose to do a node_access() check inside node_load.
Gerhard
Anonymous
Previous comments:
------------------------------------------------------------------------
March 16, 2005 - 19:39 : nazadus
I believe I have found a bug.
If you goto http://www.etherpunk.com/comment/reply/180 (possibly NSFW)
it allows you to view the posting (while you don't have permission to
actually post, it still allows the page to get displayed).
I found this out by using awstats on my box and found that a hidden
page was getting hit fairly common that I really don't want getting
shown (well, it's on the web, I know... but... I'd rather have more
controlled access).
Does this belong in the comment section for not obeying TAC?
Can anyone confirm this on their site?
Kenny
------------------------------------------------------------------------
March 16, 2005 - 20:02 : pyromanfo
That's definitely something you need to take up with the comment module
guys. It's not just taxonomy access control either, it's the core
node_access hooks in Drupal. If they'll just check that before
displaying a node for reply, that'd fix it no problem.
------------------------------------------------------------------------
March 16, 2005 - 20:20 : moshe weitzman
filed under comment.module ... note that my big comment patch gets rid
of this page entirely (consolidates under comment/edit) so it might
make sense to apply my patch instead of fixing this.
------------------------------------------------------------------------
March 20, 2005 - 02:14 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access.patch (1.36 KB)
moshe , http://drupal.org/node/18656 this does not seem to affect the
permissions of the comment/reply path.
I think the approach I have taken is blatantly simple: literally check
for access.
------------------------------------------------------------------------
March 20, 2005 - 02:24 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_0.patch (1.51 KB)
------------------------------------------------------------------------
March 20, 2005 - 02:37 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_1.patch (1.56 KB)
------------------------------------------------------------------------
March 20, 2005 - 02:38 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_2.patch (1.56 KB)
More information about the drupal-devel
mailing list