To allow anonymous users (assuming they have the permission) to create and manage saved searches, we have "access tokens" for saved searches created by anonymous users. Basically, when the appropriate token is passed as a GET parameter with a page request, the current user will have the same permissions as the saved search's owner would normally have. (The token varies based on the operation and, of course, the saved search.)
Currently, when deciding whether a saved search URL should get a token attached, we just look at the saved search's owner, not at the current user (see \Drupal\search_api_saved_searches\Entity\SavedSearch::urlRouteParameters()). I mainly decided for this approach because it helps avoid special cases for generating mails (mails for the saved search might be generated during cron runs, when the current user is irrelevant), but it also means that admins will see links for those saved searches with the tokens attached. This can be confusing (since they, of course, don't need the tokens), practical (when they want to give someone the link to access a saved search, for whatever reason) and dangerous (when they inadvertently share such a link somewhere, not realizing it will give access to anyone).
The question now is: is this OK? Especially from a security point of view?
If not: What should we change?
Active
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Since lots of sites have been running this module in production for years now, and no-one complained, this doesn’t seem like a big issue.
I’m changing the tag to “release target”, since this is still a priority, but it shouldn’t hold up the stable release.