I just noticed some user can see other payments (even if they doesn't have that permission). I found this problem in payment_access function:

      return user_access('payment.payment.' . $operation . '.any', $account) || $payment && user_access('payment.payment.' . $operation . '.own', $account) && $account->uid = $payment->uid;

$account->uid == $payment->uid should be the correct sintaxis.

This cause some session exchange between my users, so I think this is critical.

Comments

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Assigned: Unassigned » Xano
Status: Active » Fixed

This issue was fixed in collaboration with the security team. See SA-CONTRIB-2013-002 for more details.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Assigned: Xano » Unassigned