Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026
Project: Renderkit Version: 7.x-1.x-dev Date: 2020-July-01 Security risk: Less critical 9∕25 Vulnerability: Access bypass
The renderkit module contains components which can transform the display of field items sent to it.
Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.
This only occurs if all of the following conditions are true:
- Your site has a field where viewing access is restricted on field level, e.g. using the "Field permissions" module.
- The access-restricted field is displayed using the "Field with formatter" entity display from renderkit, in combination with one of the affected field display processor components.
If a site is affected there are 2 steps to fix this issue on a site:
Step 1: Install the latest version of renderkit:
If you use the renderkit module for Drupal 7.x, upgrade to Renderkit 7.x-1.14.
Step 2: Review your custom modules.
Look for classes that implement
Consider to extend the
FieldDisplayProcessorBase class instead of implementing the interface.
Also see the Renderkit project page.