Professional in Drupal web development, theme designing, consultation and training

Security Update: Contrib 2012 148

27 Sep 2012 - 10:38 am

OG - Access Bypass

OG (Organic groups) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrator to approve it.

OG doesn't properly maintain pending memberships if the user is allowed to edit their own account.

In addition, under certain circumstances, a user was able to post to a group which they were not a member of.

There are no additional mitigating factors for these issues.

security fix