Contrib.social

Possible access bypass for rendered links

Open on Drupal.org β†’
Created on 23 October 2015, about 9 years ago
Updated 27 April 2024, 8 months ago

I wanted to remove the input format tips link from the TextFormat form element and so I have disabled access to the filter.tips and filter.tips_all routes via event subscriber by setting the requirements to ['_access' => 'FALSE'].

This works just fine, when I visit the /filter/tips I will get proper 404. But the issue is that the link itself is still visible. I was checking if the access method on the Url object works and it does so the bug is somewhere else. And I found out that in the LinkGenerator::generate() method there is no access check for routed Urls.

By catch's recommendation I am attaching this simple patch that fixes this bug(ie. the link has disappeard) to see what the test bot will have to say.

πŸ› Bug report
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component
RoutingΒ  β†’

Last updated 3 days ago

Created by

mbkaba22

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 8 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    There has been no discussion here for 8 years, perhaps this is no longer a problem?

    Is this still a problem in Drupal 10 or later?

    Since we need more information to move forward with this issue, I am keeping the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

  • Status changed to Closed: outdated 3 months ago
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    I trust that someone would have responded if this was still a problem and that hasn't happened in 5 months.

    Therefore, closing as outdated. If this is incorrect reopen the issue, by setting the status to 'Active', and add a comment explaining what still needs to be done.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024