When i enable the mobule all my unpublished nodes can be accessed by anonymous users.

Until someone figures out how this module work (i didn't) all of his unpublished nodes are accessed by anonymous users. I think this is a little bit dangerous and have to be documented and mentioned.

Comments

  • 91280b5 committed on 7.x-1.x 
    Issue #2295617: Accessible unpublished nodes fixed
daniel korte’s picture

daniel korte
he/him/his
Primary language English
Location Brooklyn, NY
commented
Assigned: Unassigned » daniel korte

Thanks for bringing this to my attention. I'm working with the Security Team on getting a fix for this out soon.

After enabling the module you'll need to visit the module settings page (/admin/config/people/nodeaccesskeys/settings) and set a default content type.

Also, you can check out the documentation here on how to create an access key.

daniel korte’s picture

daniel korte
he/him/his
Primary language English
Location Brooklyn, NY
commented

chrbak, could you possibly retest and comment here if you found this issue to be fixed. Thank you!

chrbak’s picture

chrbak commented

Hello Daniel, I have retested the module with the committed patch and I can confirm that the issue is fixed. Additionally now I can use the module as you describe here.

I am posting here because the link you sent me to comment redirects me to security.drupal.org/ propably because I am not a member..

daniel korte’s picture

daniel korte
he/him/his
Primary language English
Location Brooklyn, NY
commented
Status: Active » Closed (fixed)

Thanks for your help on this chrbak, the fix has committed to the current version of the module, 7.x-1.2.

David_Rothstein’s picture

David_Rothstein commented

Yes, thank you for helping with this. But if you discover any potential security issues in the future, please follow the procedure at https://www.drupal.org/security-team/report-issue to report it privately to the security team (rather than reporting it in the public issue queue)... thanks!