Contrib.social

Anonymous user can view/edit group nodes and create nodes in a group

Open on Drupal.org →
Created on 25 July 2018, over 6 years ago
Updated 14 March 2023, over 1 year ago

I have a Group to which some content types can be added using the Group Node plugin. In Drupal permissions, anonymous users have permission only to view entities -- they have NO permissions to edit anything. In the group's permissions, anonymous users can no permissions at all.

However, as an anonymous user:

* I can see /group/GID, which I should not be able to see.
* On that page, I can click a "Create" link! I see a path with a path like /group/GID/content/create/group_node%3Ablog (e.g, to create a Blog Post node).

I should not be able to see the group page, see an edit form to create a node, or create anything. This is a huge security hole.

🐛 Bug report
Status

Active

Component

Code

Created by

🇺🇸United States margyly

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇮🇳India Aakash.Mickey

    Hi,
    I installed few content types on the Groups and gave required permission also, but later those group related permissions for those content-types were disabled. it's happing frequently..

    I need to know, whether is there any bypass access in group permissions to give add/edit access to group node pages and view access for Anonymous users. Because we have lot of content-types, so can't enable it for each one everytime.

  • Comment over 1 year ago
    🇮🇳India Aakash.Mickey

    Hi,
    I installed few content types on the Groups and gave required permission also, but later those group related permissions for those content-types were disabled. it's happing frequently..

    I need to know, whether is there any bypass access in group permissions to give add/edit access to group node pages and view access for Anonymous users. Because we have lot of content-types, so can't enable it for each one everytime.

  • Comment over 1 year ago
    🇮🇳India Aakash.Mickey

    Hi,
    I installed few content types on the Groups and gave required permission also, but later those group related permissions for those content-types were disabled. it's happing frequently..

    I need to know, whether is there any bypass access in group permissions to give add/edit access to group node pages and view access for Anonymous users. Because we have lot of content-types, so can't enable it for each one everytime.

  • Comment over 1 year ago
    🇮🇳India Aakash.Mickey

    Hi,
    I installed few content types on the Groups and gave required permission also, but later those group related permissions for those content-types were disabled automatically. it's happing frequently..

    I need to know, whether is there any bypass access in group permissions to give add/edit access to group node pages and view access for Anonymous users. Because we have lot of content-types, so can't enable it for each one everytime.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024