Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-December-11
Vulnerability:
Access bypass
Affected versions:
<2.0.0
Description:
The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms.
The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists.
Solution:
Install the latest version:
- If you use the Permissions by Term module for Drupal 8.x, including all of the 8.x-1.x branch, upgrade to Version 8.x-2.0 or later.
- The settings have been refactored. They are now bundled in the "permissions_by_term.settings.yml" file. There are not so many settings, so you can simply visit PbT's settings page and set the settings manually. Like the setting for "single term restriction".
Also see the Permissions by Term project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
