- Issue created by @sketman
- Assigned to TomTech
- Status changed to Closed: cannot reproduce
about 1 year ago 10:01pm 18 November 2023 - πΊπΈUnited States TomTech
Hi @sketman,
Thanks for the report.
Out of the box,
commerce_license
does NOT have a view at the pathuser/%uid/licenses
.The admin view that is provided at
admin/commerce/licenses
requires the permissionaccess commerce_license overview
.This view you refer to does not appear to come from the commerce_license module, but most likely a custom view on your site. (Or possibly provided by another module, though not currently aware of one that does.)
Note: If this was a security issue, it should NOT be reported in the public issue queue. There is a banner and link at the top of the
Create Issue
page that directs you to a page for reporting Security issues β .Presuming you have defined your own view, and it has a contextual filter for the license:owner, the most likely reason this is occurring is that the filter value is not being validated. It should look like this:
This configuration ensures that the view results are only if the uid in the path matches the current user, unless the user has the administrative permission of
View any licenses
, in which case they can see any user's licenses. - πΈπ°Slovakia sketman
Hello @TomTech,
many thanks for the fast and exhausting answer, I really appreciate it.
You were right with your assumptions, it is my custom view and your solution worked for me, adding the validation criteria did the trick.
Also I apologize for the way I reported security issue, I will now know for the future.Thanks once again.
- π©π°Denmark Stizzi
I am also interested in the "Commerce License Access Control" module, so I made a fresh installation of D10 and Commerce, with the same Commerce license access control fork/patch, and ACL-2.0.0-beta1, and could not reproduce the issue, at least not with this URL /user/xx/licenses