Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Project: RenderkitVersion: 7.x-1.x-devDate: 2020-July-01Security risk: Less critical 9∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: The renderkit module contains components which can transform the display of field items sent to it.
Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.
This only occurs if all of the following conditions are true:

  • Your site has a field where viewing access is restricted on field level, e.g. using the "Field permissions" module.
  • The access-restricted field is displayed using the "Field with formatter" entity display from renderkit, in combination with one of the affected field display processor components.

Solution: If a site is affected there are 2 steps to fix this issue on a site:
Step 1: Install the latest version of renderkit:

Step 2: Review your custom modules.

Look for classes that implement FieldDisplayProcessorInterface.
Consider to extend the FieldDisplayProcessorBase class instead of implementing the interface.
Also see the Renderkit project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article