Contrib.social

Plugin setup pages are accessible regardless of their status

Open on Drupal.org β†’
Created on 24 December 2015, over 8 years ago
Updated 16 July 2023, 12 months ago

If a plugin is not enabled, directly accessing their setup URL and going through the setup process is still possible.
Note: this won't make the plugin usable to the user as it's disabled globally.

πŸ› Bug report
Status

Needs work

Version

1.0

Component

Code

Created by

πŸ‡­πŸ‡ΊHungary banviktor

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Status changed to Needs work 12 months ago
  • Comment 12 months ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    Thanks for working on this.

    The tfa_basic_setup_access() is used also for user/%user/security/tfa and some others. The new condition will disable access when $method is empty, but this parameter was not added to these additional menu callback. Applying this patch will disable access to the main TFA "Security" tab in user accounts (user/%user/security/tfa).

    We need to check if method is not empty and only then apply the new check. Otherwise keep the behavior as it was. Thanks!

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024