Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have two main admin roles. A super admin and normal administrators.
Only the super admin have the Grant content access and Grant own content access Permissions.
However, a normal admin is able to change the access control for the various content types.
Is this designed like this intentionally?
Comments
Comment #2
legolasboThis issue describes an access bypass vulnerability
Comment #3
Alan D. CreditAttribution: Alan D. commentedNot critical as this checks to related similar permissions that have the restrict access flag set.
Thus also a non-noticeable security issue too (if it was a full release).
It seems that this service (access_check.content_access_admin_settings_access) only applies to the single admin page?
So maybe something like:
Albeit "grant content access" permission is more related to granting access on individual nodes. The permission "administer nodes" really doesn't make sense though?
Comment #4
presleyd CreditAttribution: presleyd commentedCan you more fully describe the permissions given to your two admin roles? I can't reproduce this with any combination of permissions.
Comment #5
mkindred CreditAttribution: mkindred commentedI cannot reproduce this error. It seems to act as I'd expect.
View any page content
View own page content
Edit own page contnet
Delete any page content
Delete own page content
I tested to see whether that role is able to alter content access for the content type or a node of that type, adding related permissions (one at a time).
If this is one of only two issues keeping content_access from being covered by SA policy, it'd be great to get confirmation whether this issue still exists.
Comment #6
gisleTesting.
Comment #7
gisleRestoring
Comment #8
gisleAccording to the original issue summary, the problem arise when there are two admin roles: a super admin (presumably user #1) and a "normal" administrator. It was unclear what is meant by a "normal" administrator. It is asked by presleyd in comment #4, but not replied to.
However. I've fond that if the "normal" administrator has the permission to "Administer content" (machine name
administer nodes
), then he/she can edit content access for a content type without having the 'Grant content access' permission.I think is by (bad) design. It seems that the original author of this module thought of
administer nodes
as a permission to bypass access control, and that this is actually a duplicate of #3144670: Check "Bypass content access control" to determine global access.Comment #9
gisleFixed in #3144670: Check "Bypass content access control" to determine global access.
Comment #10
mkindred CreditAttribution: mkindred commentedAre there other issues keeping this module from being covered by the security policy? If so, I can help testing.
Comment #11
gisleI keep track of those that need to be resolved before we can make a stable release 8.x-1.0 with security coverage here: #3143952: [meta] Content Access release 2.0.0.
If you want to see a release with security coverage, those are the ones to focus on.