BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission

Created on 20 October 2023, 8 months ago
Updated 1 January 2024, 6 months ago

Problem/Motivation

In πŸ› Information disclosure access bypass for revision log fields when the JSON:API module is enabled Fixed I need to remove the administer block content permission for GET methods, in testCollection we do filtering on the unpublished blocks. jsonapi_jsonapi_entity_filter_access only allows this for users with the admin permission.

In ✨ Add more granular block content permissions Fixed we added more permissions to be able to view unpublished block content entities, they should be allowed too:

AccessResult::allowedIf($entity->isPublished())
        ->orIf(AccessResult::allowedIfHasPermissions($account, [
          'access block library',
        ]))->orIf(AccessResult::allowedIfHasPermissions($account, [
          'administer block content',
        ]))

Steps to reproduce

See πŸ› Information disclosure access bypass for revision log fields when the JSON:API module is enabled Fixed

Proposed resolution

Add
JSONAPI_FILTER_AMONG_ALL => AccessResult::allowedIfHasPermission($account, 'access block library'), to jsonapi_jsonapi_block_content_filter_access

πŸ› Bug report
Status

Fixed

Version

10.1 ✨

Component
JSON APIΒ  β†’

Last updated 1 day ago

Created by

πŸ‡¦πŸ‡ΊAustralia acbramley

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.69.0 2024