Currently the site information Basic Site Settings Front page validates the user has access to the route and prevents saving if this is the case.
Additionally if the user has administrative permission (i.e. user 1) and you try and add a route that you don't have permission to - user/login for example the for saves successfully but wipes the value leaving it black.
1) The form should not wipe values when the routing validation fails when submitted from an admin user.
2) The form validation as to whether the route is a valid route should be separate from whether the user submitting the form has permission over the route.
On submission we should validate that the path is a valid path.
1) As user/1 submit the admin/config/system/site-information form with a valid route
2) As user/1 attempt to submit the admin/config/system/site-information form with /user/login as the homepage.
Prevent setting the following paths:
- admin/*
- /user/*/cancel
- /node/*/delete
- other additional routes?
Validate that the route exists - but not necessary that the current user has permission.
Confirm which routes we want to prevent setting
Change the validation such that it is not user dependent.
Consider how to handle the case when the existing saved value no longer validates on form submission.
Note:
The above is a problem, because in #2288911: Use route name instead of system path in user maintenance mode subscriber → , we have made the /user/login path accessible only to anonymous users, so if someone wants to use that for the default front page, then it will prevent the form from being used by any authenticated user.
Needs work
10.0 ✨
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Updated the version target.
I've updated the issue summary based on https://www.drupal.org/project/drupal/issues/2371863#comment-14607943 🐛 SiteInformationForm validates access to paths that aren't changed, potentially making the form unsubmittable Needs work
Given the potential for data loss perhaps this should be updated from Minor?