Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Observed that while trying to create a project , project issue drop down is listing all the project irrespective of the user permission on the project .
Comment | File | Size | Author |
---|---|---|---|
#20 | project-node_access_restrictions_followup-1890906.patch | 5.94 KB | MustangGB |
Comments
Comment #1
josejayesh CreditAttribution: josejayesh commentedBy modifying the following function , we can fix this issue
File name = sites/all/modules/contrib/project/project.module
Please verify
Comment #2
josejayesh CreditAttribution: josejayesh commentedComment #3
dwwI haven't verified, but if this is true, it's an information disclosure security bug, which should normally be submitted to security.drupal.org not here. However, since the D7 version of this code hasn't been officially released yet, we can deal with this here publicly.
We don't have the same bug in the D6 version since we use db_rewrite_sql() for the query generating this listing, and that handles node access checks for us.
In D7, we're just using EntityFieldQuery to build the query for this, and from what I can tell, deep down that calls db_select() to create a dynamic query, which is how you're supposed to handle node access for listing queries in D7 and later.
If this really is a bug in Project* we need to fix it, but not by individually loading each project node and calling
node_access()
on it. That would be a gigantic number of queries on a site the size of Drupal.org with over 23K project nodes (and counting).OH, I see the problem. For node access to work for altering dynamic queries, we need to add a 'node_access' tag to our query before we execute it. Wow, I'm ashamed to admit I didn't already know that. ;) Whoops. We need to go through the whole Project* D7 code base and audit all our listing queries to make sure we're adding something like this to all of them:
Comment #4
drummhttp://api.7.devdrupal.org/api/drupal/includes%21entity.inc/class/Entity... says
The mechanism for this appears to be
modules/field/modules/field_sql_storage/field_sql_storage.module
:And in
modules/node/node.module
Project module does assume standard SQL storage in a few places, so I think it may be okay to rely on this. node.module itself does use
->addTag('node_access')
so it wouldn't hurt to use it ourselves.josejayesh, are you using any special field storage?
Comment #5
dwwThanks for the research, drumm.
Where's that? I wasn't aware of any such assumptions (other than the d.o Project* migration code). I *thought* we were being good citizens and using the proper APIs as necessary. If we're not, I'd consider that a bug we should fix (obviously in a separate issue).
Thanks,
-Derek
Comment #6
drummAt some point last year we became more sloppy about shortcuts to just get Drupal.org upgraded. A few things that stick out from
git grep -nE 'db_(select|query).*node'
:This does look a lot better than I had assumed.
Comment #7
dwwDiscussion of SQL field storage is now at #1894404: Project* should not assume SQL field storage. ;)
However, the point that's still relevant to this thread is this:
So, it still seems like we want to add the 'node_access' tag to all queries we're generating that should be respecting node access, whether those are directly querying {node}, are coming from EntityFieldQuery, or whatever. Right?
Meta: this issue makes me scared. A couple of very senior members of the Drupal community, both of us who sit on the security team, can't easily figure out how to make node access work during a D7 port. Yikes. ;) Seems like a combination of things getting too complicated for their own good, coupled with insufficient documentation...
-Derek
Comment #8
drummSounds good. Looks like core does this, and we should too.
Comment #9
josejayesh CreditAttribution: josejayesh commented#4 @drumm i am not using any special field storage.
Comment #10
drummI went ahead and committed the addTag for the original problem in this issue: http://drupalcode.org/project/project.git/commitdiff/e09ddcd?hp=5eb46db3...
josejayesh - can you confirm that it works for you?
(Leave the issue open, there are other places this needs to be added.)
Comment #11
josejayesh CreditAttribution: josejayesh commentedIt is working for me .Thanks drumm.
Comment #12
dww@josejayesh: Excellent, glad to hear it. ;)
@drumm: Thanks for getting the conversion started!
Cheers,
-Derek
Comment #13
josejayesh CreditAttribution: josejayesh commented@drumm + dww
Whether we need to apply $query->addTag('node_access'); every where in the project module or only in the 'function project_projects_select_options'
Thanks
~Jayesh
Comment #14
dww@josejayesh: Not just project_projects_select_options(), no. But not necessarily everywhere, either. We need to review all the queries and see which ones need to respect node access. Generally, anything touching {node} needs this tag, although not necessarily (e.g. internal queries to compute results that aren't going to be directly displayed to end users, etc). That's why drumm left the issue active, since there's still (a lot?) more work to do here.
Thanks,
-Derek
Comment #15
josejayesh CreditAttribution: josejayesh commented@Derek thanks for the update . I will try to review the complete project module , once it is done i'll post my findings here .
Thanks
~Jayesh
Comment #16
josejayesh CreditAttribution: josejayesh commentedGuys
I am not observing information disclosure security issue any where else
Thanks
~Jayesh
Comment #17
dwwGreat, thanks for the update! I still think we should just grep the code and make sure there aren't any places we're missing, but it's good to hear you haven't found anything yet yourself.
Cheers,
-Derek
Comment #18
hass CreditAttribution: hass commentedRe #7:
I fully support this... :-))). Nearly zero documentation, no useful examples...
Comment #19
dwwFYI: sort of related but separate bug (now fixed): #1950484: Not checking node access on the project node when creating new issues
Comment #20
MustangGB CreditAttribution: MustangGB commentedNo sanity checking or testing has been done, I just greped and added tags.
Comment #21
drummSome sanity checking is needed. For example,
….drush.inc
should not do access checking; if something is running packaging, it should be able to access everything.Comment #23
dwwI took a new stab at this. Unfortunately, the patch from #20 was wrong in almost all cases:
project_release_query_releases_by_branch()
), there's an argument to the function that determines if we want to enforce access or not, and we need to only add the node_access tag to the query if that function argument says so.In the commit I pushed, I tried to add code comments in the places where we don't want node_access tagging. I also commented on the places where we really do want the node_access, and why. Hopefully it's clear.
Thanks everyone!
-Derek