Since the same authkey is used to grant access to node for view, edit and delete, a security hole is exposed when users with a view link can use the same authkey to perform other operations on the node.
Example :
A user with a link http://example.com/node/4/?authkey=5a5bc814a605658e33099cb4bdbcd5c7fe69fe09ef77faee0220905f35e62899 can use the same authkey and delete the node by adding "delete" to the link : http://example.com/node/4/delete?authkey=5a5bc814a605658e33099cb4bdbcd5c7fe69fe09ef77faee0220905f35e62899
Active
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This is a very old report. Currently, the module allows to select with operations are enabled for a content type, so admins can enable view but no delete. Not perfect but at least allows to expose content without the risk of being deleted.
However, would be interesting to have this. Patches ar welcome.