[Security-news] PSA-2010-002 - Views - Administer views permission

security-news at drupal.org security-news at drupal.org
Wed Jun 16 22:33:06 UTC 2010


  * Advisory ID: PSA-2010-002
  * Project: Views (third-party module)
  * Versions: 5.x, 6.x
  * Date: 2010-June-16
  * Security risk: Not critical

-------- DESCRIPTION  
---------------------------------------------------------

This is a public service announcement regarding the "administer views"
permission provided by the Views module. The Views module provides a flexible
method for Drupal site designers to control how lists and tables of content
are presented. The module grants considerable power to users with "administer
views" permission, with much of a site's behaviour being configurable via the
views administration pages. The permission "administer views" is therefore
comparable in scope to the "administer site configuration" permission. Only
grant this permission to trusted site administrators.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Views module for Drupal 5.x
  * Views module for Drupal 6.x

Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Only grant trusted site administrators the "administer views" permission.
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.



More information about the Security-news mailing list