This issue was originally reported by @zrpnr at https://security.drupal.org/node/170009. The Drupal Security Team determined that this issue should be handled in public.

Problem/Motivation

I was trying to get comments via jsonapi and render the comment author. If I try to include the user only the label is included by the response.

If I try to include the user_picture field directly I get an "insufficient authorization" warning because my anonymous request only "has authorization for the 'view label' operation"

This seems to reveal that the comment module is not checking access to this field for anonymous users.

Steps to reproduce

1. Install the standard Profile
2. Add a picture to the admin user
3. Comment on a node as admin
4. As an anonymous user with access content permission, visit node to see admin picture.

This is an access bypass because the anonymous user does not have the View user Information permission.

Discussion summary

Discussed by @damienmckenna, @larowlan, and @greggles of the Drupal Security Team.

Consensus was that this can be discussed and changed in public since it's the way Drupal has worked for a long time and is expected behavior at this point. Changing it would be a backwards compatibility issue.

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

akalata created an issue.