I noticed that confirmation form doesn't include token. If you have some conditions in your rules for hide the link in some cirncustances, the link won't be show, but a user can replicate the link structure, change parameters, etc. And he will access to confirmation form (an also to rule execution).

Comments

sepgil’s picture

sepgil CreditAttribution: sepgil commented
Status: Active » Postponed (maintainer needs more info)

I'm not sure if get the problem...
The idea of the token is to prevent imidiate access to the rules execution. The token prevents that by showing a confirmation firm.
It would be greate if you could explain your argument in more detail and give an example on how to exploit the confirmation form.

dariogcode’s picture

dariogcode CreditAttribution: dariogcode commented

Hi,

I'm using with views, and the confimation link doesn't have a token. I just tried and this is the link I got:

Normal:

change-status/22/no_esta_interesado/sUONdjvcF9l1c976YL0rxEh1qcYovr3T_kMs0OA3cPw?destination=user/18/siac/all/22

Confirmation:

change-status/22/no_esta_interesado?destination=user/18/siac/all/22

The first one is only accesible by the current user, the second link is accesible by any other authenticated user.

I hope this is clear now.

Paul B’s picture

Paul B CreditAttribution: Paul B commented
Status: Postponed (maintainer needs more info) » Active
nitrocad’s picture

nitrocad CreditAttribution: nitrocad commented

You can protect the link, and the url by adding the following condition:

  • Compare the node/entity author with the current logged in user.

This is a critical bug, i don't know why can be this unsolved since 5 years....