SiteInformationForm validates access to paths that aren't changed, potentially making the form unsubmittable

Created on 9 November 2014, over 9 years ago
Updated 19 May 2023, about 1 year ago

Problem/Motivation

Currently the site information Basic Site Settings Front page validates the user has access to the route and prevents saving if this is the case.

Additionally if the user has administrative permission (i.e. user 1) and you try and add a route that you don't have permission to - user/login for example the for saves successfully but wipes the value leaving it black.

1) The form should not wipe values when the routing validation fails when submitted from an admin user.
2) The form validation as to whether the route is a valid route should be separate from whether the user submitting the form has permission over the route.

On submission we should validate that the path is a valid path.

Steps to reproduce

1) As user/1 submit the admin/config/system/site-information form with a valid route
2) As user/1 attempt to submit the admin/config/system/site-information form with /user/login as the homepage.

Proposed resolution

Prevent setting the following paths:
- admin/*
- /user/*/cancel
- /node/*/delete
- other additional routes?

Validate that the route exists - but not necessary that the current user has permission.

Remaining tasks

Confirm which routes we want to prevent setting
Change the validation such that it is not user dependent.
Consider how to handle the case when the existing saved value no longer validates on form submission.

Note:

The above is a problem, because in #2288911: Use route name instead of system path in user maintenance mode subscriber , we have made the /user/login path accessible only to anonymous users, so if someone wants to use that for the default front page, then it will prevent the form from being used by any authenticated user.

🐛 Bug report
Status

Needs work

Version

10.0

Component
System 

Last updated 1 day ago

No maintainer
Created by

🇺🇸United States effulgentsia

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024