I have discovered that any user would send any content due to the lack of specific permissions to enable or disable the "Send node to subscribers" action. Security team has cleared this issue to be fixed publicly.

I think this may be a security issue due to the ability to send spam to subscribed users easily.

If I am wrong, I apologize for any inconvenience.

Regards,

Javier

Comments

lashad’s picture

lashad commented

Hello Javier,

It already done. You can check out latest code from cvs:
cvs -z6 -d:pserver:anonymous:anonymous@cvs.drupal.org:/cvs/drupal-contrib checkout -d postsubscribe contributions/modules/postsubscribe/

Thank you.