SECURITY LEAK: ORG.DRUPAL.FIELD gives access to any entities (like node or user) for any user (includes anonymous)

Thanks for this report.

Any suggestions as to how enable security in this context? Some examples:
* Entity API's entity_access() for entity-level access
* Field Permissions for field-level access
* A special permission that allows users to access any field (as the situation is currently)

These access measures introduce the problem of an elevated user creating a spreadsheet using ORG.DRUPAL.FIELD with fields that cannot be accessed by normal users. How to handle this situation?

Committed 2 fixes (commit 1, commit 2) to prevent un-permissioned access to fields, nodes and other entities.

I'd be grateful if anyone could give this a good spin.

Committed fix for D6 as well.

I am not sure how to test this, but if you give me (simple?) instructions, I'd be glad to look...

Thanks for offering to help! Here's how I tested it:

* Create new user with no role
* Download and enable following modules: Content Access, ACL, Field Permissions

To test insecure references to sheetnodes

* Edit content type Sheetnode > Access control tab and turn ON the checkbox entitled "Enable per content node access control settings".
* As admin, create two sheetnodes A and B. Add some value to A in cell A1.
* Edit the access control for sheetnode A to be unreadable by authenticated users.
* As test user, open sheetnode B and type ="A"!A1 in any cell.
=> You should get a sheet unavailable error.
* As admin, edit the access control for sheetnode A and re-enable view access for authenticated users
* As test user, refresh sheetnode B and try again.
=> You should see the value from cell A1 in sheetnode A.

To test insecure references to sheet fields

* Create new content type Sheetfield containing one field type of Spreadsheet.
* Edit content type Sheetfield > Access control tab and turn ON the checkbox entitled "Enable per content node access control settings".
* As admin, create sheetfield C. Add some value to C in cell A1.
* Edit the access control for sheetfield C to be unreadable by authenticated users.
* As test user, open sheetnode B and type ="C"!A1 in any cell.
=> You should get a sheet unavailable error.
* As admin, edit the access control for sheetfield C and re-enable view access for authenticated users
* As test user, refresh sheetnode B and try again.
=> You should see the value from cell A1 in sheetfield C.

To test insecure references to sheet views

* Create a new view (called D) with new page where format = Spreadsheet.
* Set page settings access permission to Permission = Administer site configuration.
* Ensure that your view page returns some results.
* As test user, open sheetnode B and type ="D"!A1 in any cell.
=> You should get a sheet unavailable error.
* Set page settings access permission to Permission = View published content.
* As test user, refresh sheetnode B and try again.
=> You should see the value from cell A1 in the view.

To test insecure access of arbitrary node fields

* Edit any content type to add a new field "test" of type Text.
* In the new field settings, set the "Field visibility and permissions" to private.
* Create new node E of content type above and note its $nid.
* As test user, open sheetnode B and type =ORG.DRUPAL.FIELD('test', $nid, 'node') in any cell
* You should get a #NAME? error.
* Edit content type's "test" field settings and set the "Field visibility and permissions" to public.
* As test user, refresh sheetnode B and try again.
=> You should see the value of field "test" in node E.

To test insecure access of arbitrary entity fields

* Edit permission User > View user profiles to EXCLUDE authenticated users.
* As test user, open sheetnode B and type =ORG.DRUPAL.FIELD('name', 1, 'user') in any cell
* You should get a #NAME? error.
* Edit permission User > View user profiles to INCLUDE authenticated users.
* As test user, refresh sheetnode B and try again.
=> You should see user 1's name.

OK, thanks for that - very easy to follow. So far I have tested the first 2: access to sheetfields and sheetnodes, and I can confirm that access is granted as expected, authenticated user and anon cannot access the values in the spreadsheet if they are not granted access. Will test the other options soon (still debugging a formula issue that i will prob need to ask you about).

or tl;dr Works as expected for sheetnode and sheetfield

Update - er, not quite. i also tested the last option, and =ORG.DRUPAL.FIELD('name', 2, 'user') returns #NAME? for anon and for user/2, even when I am logged in as user/2 and permissions are set to allow anon users to view profiles. Note, perhaps complicated because i am using profile2 but even if i allow anon users to view and edit profiles, i still get #NAME? and not the username
Much better than leaking the info though..

Oh! Using sheetnode 7.x-1.0-beta6 - should that have been the dev version?

Thanks for testing! Yes, beta6 contains the fixes.

I'll check the permissions as described.

Committed a further fix to retrieve raw values from entities (like the user name). I had decided to remove that code while fixing this issue, but I think it's better to reinstate it.

ancym, it would be great if you could confirm you can now get the user's name. Just make sure to get today's dev release (or from git directly).

Yes, with the dev version, I can control access to the user name by setting permissions. Great!

Also, I also re-confirmed the first 2 options, that is, access to sheetnodes and sheet fields still works as expected.

But - so far I can't get the views setting to behave - that is, sheet is unavailable even when permission is set to 'view published content'. Anon viewer can see the spreadsheet D, but the value ="D"!A2 in spreadsheet B cell gives sheet unavailable msg. Didn't test the other option yet.

I am unable to reproduce the sheetview issue with anonymous access. You can also try it at http://sheetnode.org. Maybe there's a name conflict between the view and a node that's inaccessible?

To test insecure access of arbitrary entity fields
* Edit permission User > View user profiles to EXCLUDE authenticated users.
* As test user, open sheetnode B and type =ORG.DRUPAL.FIELD('name', 1, 'user') in any cell
* You should get a #NAME? error.
* Edit permission User > View user profiles to INCLUDE authenticated users.
* As test user, refresh sheetnode B and try again.
=> You should see user 1's name.

I have follow the step, but can only show the user 1 name which is admin.
=ORG.DRUPAL.FIELD('name', 2, 'user') <===for another users , I still get the #NAME? error.

Is there any key point I missing?

Please help

@plk83kevin: make sure the uid you're passing actually exists, and also that your logged in user has access to other users' profiles.