Contrib.social

Review access checks

Open on Drupal.org β†’
Created on 19 March 2021, over 3 years ago
Updated 11 April 2023, about 1 year ago

Problem/Motivation

Since the security update (commit 8b19eab), the required permission for the routing endpoint is changed from "access content" to "administer nodes" and for each item the "edit" access is checked. Therefore, the autocomplete is now only available for administrators and not anymore for editors without the "administer nodes" permission. In my opinion, checking each result for view permissions is sufficient to mitigate the security issue properly while keeping the module functional for all editors.

Steps to reproduce

Configure this module on a field and add user role that can edit this field without having the "administer nodes" permission. I expect this user to see the autocomplete, which didn't work.

Proposed resolution

Revert the "administer nodes" check to "access content". A stricter access check is not required here since it's already checked in the controller. Also, change "edit" to "view" in the controller access check. This function does not allow you to edit the referenced entities, thus only "view" is sufficient.

πŸ“Œ Task
Status

Fixed

Version

2.0

Component

Code

Created by

πŸ‡³πŸ‡±Netherlands mauritsl

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Thank you very much @DieterHolvoet! RTBC from my side!

    Also here it would be super helpful to have tests for the future to be sure!
    See #3271272: Write further basic tests β†’

  • Comment over 1 year ago β†’
    System Message
    • Anybody β†’ committed 2f55daa2 on 2.x 
      Issue #3204475 by Anybody, DieterHolvoet, mauritsl, artis: Review access...
  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    We'll add the tests in the separate issue. I've merged this. Thanks!

  • Comment over 1 year ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States gintass

    Autocomplete widget requires "Administer Content" permission. That is a problem, since I don't want to give this permission to content editors.
    Tested with:
    Existing Values Autocomplete Widget - 2.0.0-beta1
    Drupal - 9.5.5
    PHP - 8.1.17

    I uninstalled the "Field Permissions" module to make sure there is no conflict.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States gintass

    It appears that "Administer Content" is not enough either. It does bring back the autocomplete indicator/icon, which made me think that it works, but when I started typing, none of the existing values showed up. The only way I could get it working, if I selected the
    "Bypass content access control" permission. Obviously we don't want to give it to a content editor role.

  • Comment about 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    @gintass please open a new issue as follow-up, linking this one. With clear steps how to reproduce this on a fresh, small Drupal installation, e.g. simplytest.me

    As of the code above, it only needs two things:
    "access content" permission and a "view" permission on the referenced content. But don't let us pollute this closed issue. Thanks.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024