- 🇺🇸United States TomTech
Automatically closed because Drupal 7 security and bugfix support has ended → as of 5 January 2025. If the issue verifiably applies → to later versions, please reopen with details and update the version.
Note: The issue was originally reported to the Drupal security team by Andrea Gobetti → .
This module has a role assignment issue.
You can see this issue by:
1. Enabling the Commerce License and Commerce License Role modules
2. Adding a new user role, for example "merchant"
3. Configuring the module Commerce License from admin/commerce/config/license selecting the product and line item types that should be licensable (this choice doesn't influence the issue)
3. Configuring the module Commerce License Role from admin/commerce/config/license/role selecting the product and line item types that should be licensable (this choice doesn't influence the issue)
4. Creating a product and selecting the "merchant" role in the product's Commerce License Role options
5. Saving the product
6. Deleting the "merchant" role
7. Now editing again the product that was created before we can see that the role in the Commerce License Role options has changed (for me has changed in "Administrator")
#1 Owen Barton commented January 5, 2015 at 8:04pm
Component: » Code
Access: » bojanz, jsacksick
Adding maintainers
Maintainers: please don't commit any code until requested to do so.
Comment #2 jsacksick commented January 5, 2015 at 8:35pm
Status: Active » Needs reporter response
After a quick discussion with Bojan, I don't think there's an issue because the role assignment is not updated.
What you're describing is actually a normal "issue", after deleting the role, the "rid" doesn't exist anymore and therefore can't be selected by default in the options array of the select list.
Please let me know if I misunderstood anything.
Comment #3 Owen Barton commented January 6, 2015 at 12:19am
I didn't try and reproduce this one yet - my read of the issue was that the product role could be unintentionally changed when the original role was deleted.
If that _is_ the only issue, I think this can probably be a public bug, since it seems a UX glitch with risky outcomes, rather than something an attacker could actually exploit. [A fix being, for example, making sure editors are forced to actively pick another role prior to saving a product when the original role has been deleted.]
It would be good to confirm before we make this public though.
@Andrea Gobetti - can you confirm if this is the only issue?
Comment #4 Andrea Gobetti commented January 6, 2015 at 10:54am
I confirm that this is the only issue, I reported it here because I thought that changing the given permission to admin without any notification or confirmation was a risky thing...
Comment #5 Owen Barton commented January 6, 2015 at 11:56pm
Status: Needs reporter response » Needs public issue created
Thanks! I think this can be public then - it's risky for sure, but not a vulnerability that warrants an advisory AFAICS.
Closed: outdated
1.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Automatically closed because Drupal 7 security and bugfix support has ended → as of 5 January 2025. If the issue verifiably applies → to later versions, please reopen with details and update the version.