Contrib.social

Content Translation: "update" and "delete" entity operation access checks are not made on the correct entity translation

Open on Drupal.org β†’
Created on 29 June 2023, over 1 year ago

Originally reported to the Drupal security team by @hchonov β†’ on 13 July 2018 (#167135). Assuming it affects the latest version, this issue's version is set to D10.1

Problem/Motivation

In \Drupal\content_translation\Controller\ContentTranslationController::overview() the access checks for the entity "update" and "delete" operations are made on the current entity object from the route match, which will be loaded in the current content language or in a fallback language. There we iterate through the translation languages of the entity and build the links for the entity operations for each language - for the "update" and "delete" operations. Unfortunately the access check is being made for each language using the entity object from the route match and not the entity translation object for the language for which the links are being build. This is a bug preventing proper entity access control per entity translation.

Steps to reproduce

Proposed resolution

When checking for update and delete operations access use the entity in the corresponding entity translation.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Closed: duplicate

Version

10.1 ✨

Component
Content translationΒ  β†’

Last updated 3 days ago

No maintainer
Created by

πŸ‡³πŸ‡±Netherlands dokumori Utrecht

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @dokumori
  • Comment over 1 year ago β†’
    πŸ‡³πŸ‡±Netherlands dokumori Utrecht

    comment by @berdir

    Considerable parts of this fix have been part of a public issues since 2018: https://www.drupal.org/node/2155787 β†’ .

    However, the public patch there does more things that I think are questionable and I think are not necessary, but I'm not sure how to move forward with that public issue. Focusing on this problem there would basically put even more focus on those parts and be the same as fixing this publicly. This also has tests that would be nice to have.

    AFAIK, worst case scenario is that it allows someone to change or add translations of an entity in a language that they are not meant to. That's definitely a bug, but a security issue? I personally don't think so. We could just make it public?

  • Status changed to Closed: duplicate over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Seems like this is a duplicate.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024