Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

Project: Permissions by TermDate: 2019-December-11Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms.
The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists.Solution: Install the latest version:

  • If you use the Permissions by Term module for Drupal 8.x, including all of the 8.x-1.x branch, upgrade to Version 8.x-2.0 or later.
  • The settings have been refactored. They are now bundled in the "permissions_by_term.settings.yml" file. There are not so many settings, so you can simply visit PbT's settings page and set the settings manually. Like the setting for "single term restriction".

Also see the Permissions by Term project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article