any logged in user has the ability to administer this modules which exposes the server path to your password files.

Comments

m.fu’s picture

m.fu commented
Status: Active » Needs work

sorry I cannot reproduce the problem.

Could you tell me which permission you gave the user ?
where to you see this information ?

thanks, m.fu

m.fu’s picture

m.fu commented
Priority: Critical » Minor
Status: Needs work » Postponed (maintainer needs more info)

As stated I cannot reproduce the faulty behaviour. I am closing the issue.

m.fu’s picture

m.fu commented

As stated I cannot reproduce the faulty behaviour. I am closing the issue.

m.fu’s picture

m.fu commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)
andrew_mallis’s picture

andrew_mallis commented
Priority: Minor » Major
Status: Closed (cannot reproduce) » Active

Hi.
Been I while… I didn't get the notices. Sorry.

The issue comes down to being able to access this configuration page at:
/admin/user/htpasswdsync

This page can be accessed by any role that has the "access administration pages" permission selected, regardless of options set under "administer htpasswdsync"

To reproduce, create a test role and assign only that permission to a user. You will see that they can administer htpasswdsync.

While the average user won't generally have this permission, site administrators or editors might and this could in some cases prove to be an important security concern.

m.fu’s picture

m.fu commented

Andrew,
I probably have found the problem. A missconfiguration in the _menu hook.
I shall get a patch out soon.
Cheers,
M.

m.fu’s picture

m.fu commented
Status: Active » Fixed

Fixed in 6.x-1.6-rc1

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.