[drupal-devel] [bug] Bypass access via comments
chx
drupal-devel at drupal.org
Sun Mar 20 09:31:39 UTC 2005
Issue status update for http://drupal.org/node/19009
Project: Drupal
Version: cvs
Component: comment.module
Category: bug reports
Priority: critical
Assigned to: chx
Reported by: nazadus
Updated by: chx
Status: patch
Attachment: http://drupal.org/files/issues/comment_reply_access_5.patch (1.65 KB)
chx
Previous comments:
------------------------------------------------------------------------
March 16, 2005 - 20:39 : nazadus
I believe I have found a bug.
If you goto http://www.etherpunk.com/comment/reply/180 (possibly NSFW)
it allows you to view the posting (while you don't have permission to
actually post, it still allows the page to get displayed).
I found this out by using awstats on my box and found that a hidden
page was getting hit fairly common that I really don't want getting
shown (well, it's on the web, I know... but... I'd rather have more
controlled access).
Does this belong in the comment section for not obeying TAC?
Can anyone confirm this on their site?
Kenny
------------------------------------------------------------------------
March 16, 2005 - 21:02 : pyromanfo
That's definitely something you need to take up with the comment module
guys. It's not just taxonomy access control either, it's the core
node_access hooks in Drupal. If they'll just check that before
displaying a node for reply, that'd fix it no problem.
------------------------------------------------------------------------
March 16, 2005 - 21:20 : moshe weitzman
filed under comment.module ... note that my big comment patch gets rid
of this page entirely (consolidates under comment/edit) so it might
make sense to apply my patch instead of fixing this.
------------------------------------------------------------------------
March 20, 2005 - 03:14 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access.patch (1.36 KB)
moshe , http://drupal.org/node/18656 this does not seem to affect the
permissions of the comment/reply path.
I think the approach I have taken is blatantly simple: literally check
for access.
------------------------------------------------------------------------
March 20, 2005 - 03:24 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_0.patch (1.51 KB)
------------------------------------------------------------------------
March 20, 2005 - 03:37 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_1.patch (1.56 KB)
------------------------------------------------------------------------
March 20, 2005 - 03:38 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_2.patch (1.56 KB)
------------------------------------------------------------------------
March 20, 2005 - 09:48 : Anonymous
The discovery of this patch makes me wonder, whether we shouldn't
centralize the access controll a bit more.
If a core module can show this kind of bug, contrib modules will almost
certainly. I propose to do a node_access() check inside node_load.
Gerhard
------------------------------------------------------------------------
March 20, 2005 - 10:03 : Anonymous
I also don't think that the patch is working.
node_access(arg(2)) should probably be node_access('view', $node) and
the node needs loading before.
Gerhard
------------------------------------------------------------------------
March 20, 2005 - 10:28 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_3.patch (1.61 KB)
OK, patch corrected.
I think adding node_access to node_load would break havoc 'cos there
are some routines (even in core) which do not check whether the
node_load was successful or not. This is a whole another topic, please
make another issue.
What we need, IMHO is to patch this quickly...
------------------------------------------------------------------------
March 20, 2005 - 10:31 : chx
Attachment: http://drupal.org/files/issues/comment_reply_access_4.patch (1.65 KB)
I also forgot to check whether node_load was successful or not...
More information about the drupal-devel
mailing list