-
roderik β
committed 9301532a on 8.x-3.x
Issue #3211479 by roderik, bmelvin1, adamfranco, John Franklin, azinck:...
-
roderik β
committed 9301532a on 8.x-3.x
- Status changed to Fixed
12 months ago 7:12pm 28 December 2023 - π³π±Netherlands roderik Amsterdam,NL / Budapest,HU
Thank you all for your input.
Linking is now still disabled by default, but the restriction can be undone by configuring a special value ["anonymous"] (must be a single-element array value) as the 'map_users_roles' setting.
So everyone who is running with a patch from this issue, can drop the patch after they update to the next version (when released) and change their 'map_users_roles' setting. In the UI, this is equivalent to checking the "Allow all Drupal users to be linked" box.
I needed to let this stew "for a bit" (which can easily become years) and
- There have been arguments for making this deny-list of role into a sort of allow-list, but I'm not convinced of the added security benefit (vs. the original security issue that added this option) and no argument came from a practical situation. So I've ignored that for now. If anyone finds this issue / wants this, they can reopen it.
- The option to explicitly bypass the whole role checking (which is what the patch also adds) is fine, though... as long as we don't have that on by default / on new installations.
- I realized I don't need a new configuration value to implement this. In practice, the array value for 'map_users_roles' never contains the values "anonymous" and "authenticated". So instead of 'empty array' (as the contributed patch does), I can use the special value ["anonymous"] for this.
So that's done now, with some UI tweaking to make things clearer.
I hope / think I haven't missed anything else important in the conversation.
Automatically closed - issue fixed for 2 weeks with no activity.