Purge users should define its own permissions

Created on 20 May 2022, over 2 years ago

Updated 9 May 2023, over 1 year ago

Problem/Motivation

the routes are accessible by users with 'administer users' permissions, this is to wide of a permission, and is a security issue if not managed properly.

Steps to reproduce

create user with 'administer users', visit /admin/people/purge-rule

Proposed resolution

create own permissions for both routes, change routes access

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Fixed

Version

3.0

Component

Code

Created by

🇷🇴Romania Andras_Szilagyi

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇩🇪Germany Anybody Porta Westfalica
This is RTBC'd and tests are green, merging!
Comment over 1 year ago →
System Message

Anybody → committed 578460ed on 8.x-3.x
Issue #3281626 by _shY, Anybody: Purge users should define its own...
Status changed to Fixed over 1 year ago4:24pm 9 May 2023
Comment over 1 year ago →
🇩🇪Germany Anybody Porta Westfalica
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024