Contrib.social

[security issue] Owner permission to print or download pdf-docx

Open on Drupal.org →
Created on 17 May 2024, 8 months ago

Problem/Motivation

The permissions section must be revised because there is a serious security OR GDPR problem. PDF print or views print links do not check owner. Therefore, anyone who knows the node id can download someone else's entity by changing the node id on the link. Or they can try random node id's/or paths according to link pattern...
Any member with the "Entity Type:Use all print engines" permission can download this content via the entity print link, even if they do not have permission to view the content.
For example; Any member with view permission can download other's invoice entities or any entity containing sensitive content such as invoices by changing ordinary node ids.
How can we solve this issue? Any advice would be great.
Thanks.

💬 Support request
Status

Active

Version

2.0

Component

Code

Created by

🇬🇧United Kingdom jaydenpearly

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024