Contrib.social

Route access bypass due to wrong route match for <current> route

Open on Drupal.org β†’
Created on 21 February 2016, over 8 years ago
Updated 4 November 2023, 10 months ago

I am using my patch from #2599958: Possible access bypass for rendered links β†’ and I have noticed that my tablesort headers have disappeared.

So I have digged through the link generation and Url access handling and it turned out that \Drupal\Core\Access\AccessManager::checkNamedRoute(), specifically $route = $this->routeProvider->getRouteByName($route_name, $parameters); will return wrong route because the tablesort headers are using <current> route but the route provider will return the /<current> which does not exist and so when the \Drupal\Core\Access\AccessManager::check will try to perform validation the $checks will always be empty and so neutral access result is returned and wo when the Url->access() is called it will always return FALSE, hence the disappearing links.

This does not influence access to the route by visiting it directly, only the links.

πŸ› Bug report
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component
RoutingΒ  β†’

Last updated 8 days ago

Created by

mbkaba22

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024