Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
See SA-CORE-2011-003 - there is an access bypass issue in Comment module that was fixed in Drupal 7. This fix needs to be applied to the 8.x development branch also.
I've uploading the patch from Drupal 7 to this issue (taken from http://drupalcode.org/project/drupal.git/patch/b38a806). It seems to apply to D8, but beyond that I haven't checked that it's good.
Comment | File | Size | Author |
---|---|---|---|
b38a806.patch | 2.28 KB | David_Rothstein | |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedTested and it works.
I added a fielfield with Private access to the comment. I then created a node, commented with a file on the node, and unpublished the node.
When I visited with an anonymous user, without the patch I had access to the file. With the patch, I did not.
RTBC.
Comment #2
catchThanks! Committed and pushed to 8.x.