STEPS TO REPRODUCE:
- Create a gallery album
- Remove all access from "Everyone"
- Add access to a group
- Add an item to the gallery
- View the item
- Extract the URL to the image (in Firefox, right click the image and select "Copy image location")
(You can confirm you have the correct URL by loading it into the browser) - Log out (or use a different browser -- I installed Opera to test things such as this)
- Load the page indicated by the extracted URL
EXPECTED BEHAVIOR:
- Access denied
OBSERVED BEHAVIOR:
- The image is accessible from the anonymous session
ADDITIONAL NOTES:
Accessing the album/item via Gallery2 does not exhibit this problem. I only see it when accessing it via the Drupal gallery module.
Comments
Comment #1
Daniel Norton CreditAttribution: Daniel Norton commentedBumped priority to "critical", as this represents a security vulnerability.
Comment #2
crifi CreditAttribution: crifi commentedI tried to reproduce your issue and I can't confirm it. Following your steps I get the Drupal login form for the item, since I have no permission as anonymous user. This is the expected behavior.