Security note: I have been asked by the Drupal Security Team to make this a public issue, because this module is not in production and is therefore not supported by the Drupal Security Team.

This module has a escalated privilege vulnerability. If a field collection has been published, a user who has edit privileges but not publishing privileges can edit the collection such that the changes are published on save.

Tested with Field collection 7.x-1.0-beta11 and Workbench Moderation 7.x-1.4.

You can see this vulnerability by:

1. Enabling the Field collection module as well as Workbench Moderation with Draft-Needs Review-Publish states (we currently also have an Archive state, but I did not archive any content as part of this test)

2. As a user with admin authority:
a. Create a field collection consisting of a title and one or more files.
b. Create a content type that includes this field collection as a multiple-occurrence field.

3. As a user with edit but not publish authority:
a. Add > click that content type
b. In the field collection, use a title of "test 1 edit 1"
c. Add a file to the field collection. Give it a description of "test 1 file 1"
d. Click the button to add another instance of the field collection
e. In the new instance, use a title of "test 2 edit 1"
f. Add a file to the new field collection. Give it a description of "test 2 file 1"
g. Save the page
h. Apply set status to Needs review

4. As a user with publish authority:
a. View the draft
b. Apply set status to Published

5. As a user with edit but not publish authority:

a. View the published version
b. Click New draft
c. Rename the first field collection "test 1 edit 2"
d. Rename the second field collection "test 2 edit 2"
e. Remove the file on the second field collection and upload a different file. Give it a description of "test 2 file 2"
f. Save the page

6. As an anonymous user:

a. Visit the page

Actual result:
test 1 edit 2 with file test 1 file 1
test 2 edit 2 with file test 2 file 2

Expected result:
test 1 edit 1 with file test 1 file 1
test 2 edit 1 with file test 2 file 1

Comments

Charles Belov created an issue. See original summary.

Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov at San Francisco Municipal Transportation Agency commented
Title: When used with Workbench Moderation, user with edit but not publish authority can publish edits to published items in a field collection » Security: When used with Workbench Moderation, user with edit but not publish authority can publish edits to published items in a field collection
Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov at San Francisco Municipal Transportation Agency commented
Issue summary: View changes