Add access control to /filter/tips

Open on Drupal.org →

Created on 25 June 2019, over 5 years ago

Updated 5 September 2024, 23 days ago

Problem/Motivation

The path /filter/tips is accessible to all the users, including anonymous users even if they do not have access to any input field. Though the path is excluded in ROBOTS.txt and is harmless, it doesn't appear to be serving any purpose to anyone who is not entitled to use a filter while it gets flagged in security reports for having inappropriate permissions.

Proposed resolution

In filter.routing.yml change _access for "Compose tips" to something that checks if the user has access to at least one of the filters.

Remaining tasks

Confirm the approach, see #14 📌 Add access control to /filter/tips Needs work

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task

Status

Needs work

Version

11.0 🔥

Component

Last updated about 12 hours ago

No maintainer

Created by

🇦🇺Australia fotuzlab

Live updates comments and jobs are added and updated live.

Bug Smash Initiative

Incomplete comments

Sign in to follow issues

Merge Requests

!9617Add access control to /filter/tips
Open
🇮🇳India KumudB
updated 3 days ago
!3565Add access control to /filter/tips
Open
🇳🇿New Zealand danielveza
updated 2 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇳🇿New Zealand danielveza Brisbane, AU
Merge request !3565#3063877 - Add new permission for viewing the filter/tips page → (Open) created by danielveza
Status changed to Needs review over 1 year ago4:42am 1 March 2023
Comment over 1 year ago →
🇳🇿New Zealand danielveza Brisbane, AU
Added a new permission "view filter tips page" for handling access to the generic /filter/tips page.

Will need a change record and IS update if this approach is signed off
Status changed to Needs work over 1 year ago10:02am 1 March 2023
Comment over 1 year ago →
needs-review-queue-bot
The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
Comment 2 months ago →
🇳🇿New Zealand quietone
quietone → changed the visibility of the branch 3063877-add-access-control to hidden.
Comment 2 months ago →
🇳🇿New Zealand quietone
Rebase onto 11.x.
Comment 23 days ago →
d.stoyanov
update.
Comment 3 days ago →
🇮🇳India KumudB Ahmedabad
kumudb → changed the visibility of the branch 3063877-add-access-control to active.
Comment 3 days ago →
🇮🇳India KumudB Ahmedabad
kumudb → changed the visibility of the branch 3063877-add-page-access-permissions to hidden.
Merge request !96173063877: Added the permission for filter tips page. → (Open) created by KumudB
Comment 3 days ago →
🇮🇳India KumudB Ahmedabad
I have raised the MR for filter/tips page access permission.
MR : https://git.drupalcode.org/project/drupal/-/merge_requests/9617/diffs
Pipeline finished with Failed
3 days ago
Total: 380s
#293104
Comment 2 days ago →
🇺🇸United States smustgrave
Proposed solution doesn't match what appears in the MR.

Also will need some kind of update hook to assign the new permission, without it people who correctly should have access all of a sudden won't.

New permissions will need a CR.
Comment 2 days ago →
🇺🇸United States smustgrave
Also why start a new MR, the previous one 3565 is pointing to 11.x correctly

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024