Allowed Languages does not respect content access permissions and grants access where one should not be granted

Open on Drupal.org →

Created on 8 March 2023, over 1 year ago

Updated 19 April 2023, over 1 year ago

Problem/Motivation

If a user does not have permission to edit or delete content they will still get access to delete the content if they have access to the language of the content.

This module should not be returning allowed access but only restrict access as its purpose is and in all other cases simply return a neutral answer so that the edit and delete access is determined by the corresponding permissions that are provided by the provider of the target entity.

Steps to reproduce

1. Create a user role with the following permissions used to review content only:

- 'access content overview'
- 'access toolbar'
- 'access user profiles'
- 'change own username'
- 'use workflow transition review_to_draft'
- 'use workflow transition review_to_publish'
- 'view any unpublished content'
- 'view page revisions'
- 'view latest version'
- 'view the administration theme'

2. Give only this new role to a user.
3. Allow access to all languages on the user profile of that user.
4. Log in with a user and navigate to admin/content
5. Observe that this user has access to the delete operation and even can execute it.

Proposed resolution

Only restrict access but do not grant access. Leave the access granting to the corresponding modules.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Closed: duplicate

Version

2.0

Component

Code

Created by

🇩🇪Germany hchonov 🇪🇺🇩🇪🇧🇬

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @hchonov
Comment over 1 year ago →
🇩🇪Germany hchonov 🇪🇺🇩🇪🇧🇬
Status changed to Needs review over 1 year ago10:11am 8 March 2023
Comment over 1 year ago →
🇩🇪Germany hchonov 🇪🇺🇩🇪🇧🇬
Comment over 1 year ago →
🇪🇸Spain missvengerberg
Thanks for the patch and for noticing this!

I couldn't apply the patch to 2.0.0-alpha1 version, though. I made another based on yours.
Comment over 1 year ago →
🇪🇸Spain missvengerberg
Oh, I see this security issue is not new. I will refer to the original thread.
https://www.drupal.org/project/allowed_languages/issues/3228286 🐛 Allowed Languages overwrites Drupal permissions Fixed
Status changed to Closed: duplicate over 1 year ago11:59am 19 April 2023
Comment over 1 year ago →
sannastrand
Thank you @hchonov and @missvengerberg. We will move credit to https://www.drupal.org/project/allowed_languages/issues/3228286 🐛 Allowed Languages overwrites Drupal permissions Fixed We will tag an alpha3-release soon.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024