This great module is potentially leaking some information without intent. The problem lies in the access control to the menu item 'colorbox/%colorbox_node_url' as it only checks for the permission 'access content'. This is not sufficient for nodes if someone is using more fin grained access control on nodes and it is not sufficient if someone is using colorbox_node for other links on the local page.

A simple solution is to introduce your own access control callback and check access on the original path there.

I'm submitting a patch with such a solution shortly.

CommentFileSizeAuthor
#2 better_access_control-2427319-2.patch1023 bytesjurgenhaas
#1 better_access_control-2427319-1.patch1013 bytesjurgenhaas
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jurgenhaas’s picture

jurgenhaas
he/him
Primary language German
Location Gottmadingen
CreditAttribution: jurgenhaas commented
FileSize
better_access_control-2427319-1.patch1013 bytes

Attached is the promissed patch

jurgenhaas’s picture

jurgenhaas
he/him
Primary language German
Location Gottmadingen
CreditAttribution: jurgenhaas commented
FileSize
better_access_control-2427319-2.patch1023 bytes

Small correction to the patch as the previous one created a conflict with hook_access() from the node module.

  • iLLin committed 070b3b1 on 7.x-3.x authored by jurgenhaas 
    Issue #2427319 by jurgenhaas: Better access control
iLLin’s picture

iLLin CreditAttribution: iLLin commented
Status: Active » Needs review
iLLin’s picture

iLLin CreditAttribution: iLLin commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.