[Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-095

Project: Permissions by Term [1]
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
The Permissions by Term module extends Drupal by functionality for
restricting access to single nodes via taxonomy terms.

The module doesn't sufficiently restrict access to node previews, when the
Search API module is used to display nodes in search result lists.

Solution: 
Install the latest version:

   * If you use the Permissions by Term module for Drupal 8.x, upgrade to
     Version 8.x-2.0 [3]
   * The settings have been refactored. They are now bundled in the
     "permissions_by_term.settings.yml" file. There are not so many settings,
     so you can simply visit PbT's settings page and set the settings 
manually.
     Like the setting for "single term restriction".

Also see the Permissions by Term [4] project page.

Reported By: 
   * Tamás Nagy [5]

Fixed By: 
   * Peter Majmesku [6]

Coordinated By: 
   * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/8.x-2.0
[4] https://www.drupal.org/project/permissions_by_term
[5] https://www.drupal.org/user/2252152
[6] https://www.drupal.org/user/786132
[7] https://www.drupal.org/u/greggles