- Issue created by @RicardoPeters
- 🇳🇱Netherlands RicardoPeters
Updated version, guess this is in any upcoming version, and IMHO is a security related issue because of the "leaking" of data.
When a user submits a post to a closed group an activity is shown in the stream for anonymous users.
It looks like the access check is not being called, debugging shows the ActivityAccessController::checkAccess is not being called within the stream.
Create a closed group
Post something to the group as a member of that group
Log out or open a window where you're logged out
View the homepage stream
There is an activity for this post shown (however not in full detail)
For further debugging purposes we've loaded the post by ID in a sandbox environment.
Which basically looked like this:
$post = Post::load($pid);
$activity = Activity::load($aid);
$user = User::load(0);
$post_result = $post->access('view', $user);
$activity_result = $activity->access('view', $user);
Both post_result as activity_result returned false, but the activity was still being shown. So it looks like the access checks are at least ignored, or not ran at all?
In my opinion this is "leaking" data that you might not want anonymous users to know.
Is this something that is configurable, and I have missed in the settings?
Or is indeed the ActivityAccessController not being called?
Active
12.1
Activity/Notifications
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Updated version, guess this is in any upcoming version, and IMHO is a security related issue because of the "leaking" of data.