Contrib.social

Increase access level required for content permissions rebuilds

Open on Drupal.org →
Created on 3 November 2022, almost 2 years ago
Updated 12 June 2023, over 1 year ago

Problem/Motivation

The \Drupal\node\Form\RebuildPermissionsForm is accessible to any user with the access administration pages permission. Rebuilding permissions can be a long and very disruptive process for sites with lots of content access permissions and should be restricted to a higher level of permission.

In fact, the final step of the rebuild process redirects the user to /admin/reports/status which requires the administer site configuration so for certain configurations the user will be redirected to a 403 Access Denied message after the rebuild completes.

Steps to reproduce

  1. Flag permissions for rebuild.
  2. Log in as a user with the access administration page permission but not the administer site configuration permission.
  3. Observe a notification about rebuilding permissions and click the link to do so.
  4. Rebuild the permissions.
  5. Observe a 403 Access Denied response on completion.

Proposed resolution

Use the administer nodes permissions for access control to the rebuild form and operation.

This means the user could still end up with a 403 Access Denied without the additional administer site configuration permission but administer site configuration feels like it does not fit quite as well for the rebuild permission.

Remaining tasks

Create a branch with the propose change.

User interface changes

None.

API changes

None.

Data model changes

None.

Release notes snippet

Rebuilding permissions now requires the administer nodes permission . Previously only the access administration pages permission was required. Site owners should review and adjust permissions as necessary to ensure proper access to the rebuild permissions functionality.

📌 Task
Status

Fixed

Version

11.0 🔥

Component
Node system 

Last updated about 17 hours ago

No maintainer
Created by

🇺🇸United States wells Seattle, WA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024