Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.In my use case, I've built a feature for Open Atrium that integrates sheetnodes into the notebook section. This works fine, except that I can reference values from any sheetnode on the site. This includes those in other (OG-based, btw) groups; even those to which the user ought not to have access.
To replicate:
* create a private group
* create a sheetnode within the private group
* create a public group
* add a new user subscribed only to the public group
* login as the new user
* confirm that you can't access the sheetnode in the private group (e.g., by typing in the url)
* create a new sheetnode in the public group
* reference a cell from the sheetnode in the private group
I think this last step should fail. In fact, even were the user to have access to the private group, I think this should fail.
Comments
Comment #1
infojunkieThanks for this report. I will ensure the security of referenced nodes using the standard Drupal node access mechanism.
Comment #2
ergonlogicDo you mind my asking what you have in mind?
I didn't propose any solutions, because, as I understand it at least, most access control mechanisms in Drupal are user-based, and I haven't been able to figure out how that could work properly. Would you use the UID of the sheetnode's author, or of the user currently viewing or editing it, for example?
Ideally, there would be some way to selectively and securely reference sheetnode content. An example use-case:
* we have a sheetnode with a list of products and costs from our supplier, that we want to keep private
* we also want to publish (publicly) another sheetnode showing retail prices derived from those costs
* prices are derived from costs via a standard markup percentage maintained on a third sheet, also private.
Perhaps there's a simple way to implement this, but I can't seem to wrap my head around it. Any suggestions would be appreciated.
Comment #3
infojunkieI should work on this.
Comment #4
infojunkieMoving to D7 for fixing.
Comment #5
infojunkieComment #6
infojunkieDuplicate of #1910234: SECURITY LEAK: ORG.DRUPAL.FIELD gives access to any entities (like node or user) for any user (includes anonymous).