Contrib.social

User can access to node even when the authlink is removed

Open on Drupal.org →
Created on 7 September 2023, over 1 year ago
Updated 25 October 2023, over 1 year ago

Problem/Motivation

Users can access the node after the authlink is removed and should not.

This is because of the node_authlink access hook https://git.drupalcode.org/project/node_authlink/-/blob/ae2c22e843fb3086...

It checks that the node and the op are set on the session, but it was not removed from the session after the user removed the authlink.

  // Permit if checked.
  $authorized_node_ops = $_SESSION['node_authlink_nodes'][$node->id()] ?? FALSE;
  if ($authorized_node_ops && in_array($op, $authorized_node_ops, TRUE)) {
    return TRUE;
  }

Steps to reproduce

  • Enable the authlink on a content type
  • Create the authlink on a node /node/[NODE_ID]/authlink on a unpublished node
  • Then visit as anonymous the node using the authlink
  • Remove the authlink from the node
  • Visit again the node (no need to use the authlink because the authlink is saved on session)
  • User has access to the node after the authlink is removed and should not

Proposed resolution

Check that the auth link is set on the node.

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇪🇸Spain eduardo morales alberti Spain, 🇪🇺

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024