Currently, there is no field-level 'edit' access check for text/format fields that guarantees that a user has permission to use the format she is trying to set. This caused the following security issue in RestWS: https://security.drupal.org/node/93428, and a similar issue in Services Entity: https://drupal.org/node/2059845, and D8 REST services: https://drupal.org/node/2064181.
It's debatable where this should be fixed. I've also opened in issue in D7 core (https://drupal.org/node/2060237) which fixes it in text.module, but interactions with the text-format widget force a change in the way that fields which a user can't edit are handled on forms (disabled rather than hidden), so I'm not sure if it's the best solution.
The patch to follow attempts to fix this on the Entity Metadata level.
Comment | File | Size | Author |
---|---|---|---|
#1 | 2065021-text-format-access.patch | 4.82 KB | wodenx |
Comments
Comment #1
wodenx CreditAttribution: wodenx commentedComment #2
Chris Matthews CreditAttribution: Chris Matthews as a volunteer commentedThe 5 year old patch in #1 does not apply to the latest entity 7.x-1.x-dev.