- Issue created by @mherchel
Had a discussion with @phenaproxima and @thejimbirch at https://drupal.slack.com/archives/C2THUBAVA/p1715706878192159. Moving discussion to this issue
Recipes have the ability to add/edit permissions. This has the potential to be problematic from a security perspective.
I have configured my article content type to NOT be viewable by anonymous users. I install a recipe that adds tags or something. The recipe (for whatever reason) adds anonymous users back to the article CT. I'd never know this until 💩 has hit the 🪭!
After permissions have been changed, let the user know, and tell them they can review/modify the permissions (and link to it)
According @phenaproxima to we can surface messages like
"Anonymous" user role received "view any article content" permission
Active
1.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.