Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This great module is potentially leaking some information without intent. The problem lies in the access control to the menu item 'colorbox/%colorbox_node_url' as it only checks for the permission 'access content'. This is not sufficient for nodes if someone is using more fin grained access control on nodes and it is not sufficient if someone is using colorbox_node for other links on the local page.
A simple solution is to introduce your own access control callback and check access on the original path there.
I'm submitting a patch with such a solution shortly.
Comment | File | Size | Author |
---|---|---|---|
#2 | better_access_control-2427319-2.patch | 1023 bytes | jurgenhaas |
#1 | better_access_control-2427319-1.patch | 1013 bytes | jurgenhaas |
Comments
Comment #1
jurgenhaasAttached is the promissed patch
Comment #2
jurgenhaasSmall correction to the patch as the previous one created a conflict with hook_access() from the node module.
Comment #4
iLLin CreditAttribution: iLLin commentedComment #5
iLLin CreditAttribution: iLLin commented