Whitelist views/displays in View access check

Open on Drupal.org →

Created on 28 May 2021, over 3 years ago

Updated 2 September 2024, 5 months ago

Problem/Motivation

Some popular contrib modules (e.g. webform) provide views without permission checks.
There is a request to add access checks to webform but the discussion in #2499029: Add Default Views access control → is not finished (last comment two years ago).
So I think a possibility to whitelist whole views or view displays would be quite nice.
There is a similiar issue #2687099: Webform 4 default Views triggering Views access warning → for the 7.x branch with a patch but I think for 3.0.x we should use the setting mechanism already provide by security review.

Other modules providing views without access check are commerce and profile (see #3259261: Missing Views access restrictions according to Security Review module → )

Steps to reproduce

Enable webform and security review's "Views access" check. Run the check and you'll get a failure "Webform submissions: default".

Proposed resolution

Add settings to ignore whole views (view_name) or displays (view_name:display_name) - similiar to TrustHostSettings and the proposal in ✨ Make fields check more useful with risky content (allowlist of content?) Fixed .
Ignore those values in ViewsAccess::run().

Remaining tasks

None.

User interface changes

None.

API changes

None.

Data model changes

No real data model changes but new config settings for ignores.

✨ Feature request

Status

Needs review

Version

3.0

Component

Code

Created by

🇩🇪Germany gngn

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Merge Requests

!77Whitelist views/displays in View access check
Open
🇩🇪Germany gngn
updated 5 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 5 months ago →
🇩🇪Germany gngn
I reopen this for 3.0.x because it is still an issue, I do not think the other modules are going to provide access checks and I really like to have a clean security review ;)

The patch is a bit smaller than the one provided for 8.x in #2 (mainly because we already have config for the views access check).
Like #2 you can enter whole views or distinct displays to ignore (i.e. "webform_submissions" or "webform_submissions:embed_default").

I also updated the description.
Status changed to Needs work 5 months ago9:12pm 2 September 2024
Comment 5 months ago →
🇺🇸United States smustgrave
Will have to think about adding this one but fixes should be in MRs
Merge request !77Update ViewsAccess.php - whitelist views → (Open) created by gngn
Status changed to Needs review 5 months ago11:25pm 2 September 2024
Comment 5 months ago →
🇩🇪Germany gngn
I created a MR.
hope everything went OK (I'm still not used to MRs).
Pipeline finished with Success
5 months ago
Total: 318s
#271995
Pipeline finished with Success
5 months ago
Total: 134s
#272005
Comment 4 months ago →
🇺🇸United States smustgrave
Will need to update schema + update hook.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024