- πΊπΈUnited States TomTech
Automatically closed because Drupal 7 security and bugfix support has ended β as of 5 January 2025. If the issue verifiably applies β to later versions, please reopen with details and update the version.
It seems fairly easy with commerce_license_role to accidentally allow a partially-trusted user to gain admin access.
The exploit is available to any user with permission to create a product, where that product contains a license for a role. By default, the user can simply change the product role to admin, then go ahead and buy the product.
I decided not to make this a security issue because the above can be viewed as an mistake on behalf of the person setting up the site. However it seems rather difficult to avoid such mistakes at the moment. I think this module needs to make this pitfall safer.
My best idea to fix this is as follows. On Store->Configuration->License settings->Role have a new section "allowed roles". By default, all are enabled, except admin is disabled and cannot be enabled. When editing a product, only the allowed roles are shown. If there is only one allowed role, the role field is not shown to product editors at all.
Other ideas
- Simply make the admin role an illegal choice for the role field.
- For any permission to edit a product, if the product has a license for a role, flag the permission as security critical.
- Create a page that documents ways to make it safe. First question - what actually are the ways!?! Could use the module Field Permissions to hide the role field from some users. However that relies on setting a suitable default value, which I think is only possible by hacking the role field to temporarily unlock it.
Closed: outdated
1.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Automatically closed because Drupal 7 security and bugfix support has ended β as of 5 January 2025. If the issue verifiably applies β to later versions, please reopen with details and update the version.