- π³πΏNew Zealand quietone
Removing the novice tag because of #26 and #27
In \Drupal\user\Access\RoleAccessCheck if the user has no roles
Which is hypothetical scenario, confirmed with Security team that, it would never happen in real life.
A user will at least have an anonymous role at minimum.
However, with testing if we have a user without a role following code in the class would return empty diff and user will be allowed in.
$diff = array_diff($explode_and, $account->getRoles());
if (empty($diff)) {
return AccessResult::allowed()->addCacheContexts(['user.roles']);
}
It is not possible to re-produce with a Drupal setup, but only in tests.
To Reproduce:
- In \Drupal\Tests\Core\Route\RoleAccessCheckTest
- Add a user with no role
- Add a test of user with no role should not get in
- The test will fail.
We should tighten up the check that if the role is not there, we return AccessNeutral
- Add a patch
- Modify \Drupal\Tests\Core\Route\RoleAccessCheckTest test
None
None
None
Update tests and tighten RoleAccessCheck
Needs work
11.0 π₯
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Removing the novice tag because of #26 and #27