Contrib.social

Entity Print does not respect Permisions by Term access denial

Open on Drupal.org β†’
Created on 20 April 2023, about 1 year ago

Problem/Motivation

Our project uses Permissions by Term β†’ to restrict node access. If a user visits a node that they do not have access to, they will get an Access Denied response. If they visit the Entity Print url for the PDF of that node (/print/pdf/node/898) they are still able to download the PDF.

Steps to reproduce

  • Install and configure both Entity Print and Permissions by Term ( see Permissions by Term docs β†’ )
  • restrict access to a node using the taxonomy you set up.
  • add the "View PDF" field to the display of a node type that uses the taxonomy you set up.
  • visit the node as a user that has permission to access.
  • copy the "View PDF" link url.
  • visit the node as a user that does not have permission to access. (you should get an Access Denied response)
  • paste in the "View PDF" link url, and you will still get the PDF.

Drupal version: 10.0.7

Entity Print version: 2.11.0

  • PDF: Dompdf

Permissions by Term version: 3.1.21

Desired Behavior

A user who does not have access to a node based on Permissions by Term should not be able to view or download the PDF.

πŸ› Bug report
Status

Active

Version

2.11

Component

Code

Created by

sgraham42

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @sgraham42
  • Comment about 1 year ago β†’
    sgraham42

    Adding additional info here as a comment, because it may not be relevant:
    the Permissions by Term module seems to use the Grants system for access restrictions. Perhaps this has something to do with it?

    My current solution is to add a custom patch just for us that adds a Permissions by Term access check to the EntityPrintController.php in checkAccess():

        // Ensure access via Permissions By Term
    if ($entity_type == 'node') {
      /* @var \Drupal\permissions_by_term\Service\AccessCheck $accessCheck */
      $accessCheck = \Drupal::service('permissions_by_term.access_check');
      $nodeToCheck = \Drupal\node\Entity\Node::load($entity_id);
      if (!$accessCheck->canUserAccessByNode($nodeToCheck)) {
        return AccessResult::forbidden();
      }
    }

    This, of course, is not a solution for the module itself, but I include it here because maybe it helps to find a real solution?

  • Comment about 1 year ago β†’
    πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    I'll open an issue on security.drupal.org using the report security issue on the project page and unpublish this

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024