Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Now that #1890906: Information disclosure: Project* is not properly allowing node_access to work on listing queries in D7 is fixed, I started looking into the equivalent bugs for project_issue, and it looks like we are indeed missing some node_access tags in various queries. I'm working on it now. Stay tuned for patch and/or commits. The good news is it appears we're only potentially leaking project titles, not issue node titles. At least in the case of sec.d.o, leaking project titles isn't really an info disclosure bug. So, I feel okay dealing with this here in the open.
Comment | File | Size | Author |
---|---|---|---|
#1 | 2490022-1.project-issue-node-access.patch | 6.96 KB | dww |
Comments
Comment #1
dwwComment #2
dwwComment #4
dwwdrumm looked this over at the sprint. He said "looks good", so I pushed the commit. If something breaks, we'll find out. ;)
Comment #6
dwwHah, by the time the bot ran this, I had already pushed the fix. ;)
Comment #8
alexandrezia CreditAttribution: alexandrezia commentedThis fix has introduced a bug on login, please see this issue: https://www.drupal.org/node/2559613
Comment #9
alexandrezia CreditAttribution: alexandrezia commentedComment #10
drummMoving back to fixed since #2559613: Error on login after [#2490022] Properly enforce node_access on list queries. Commit tracks the issue.