Allow custom view to show data to anonymous user (without 'View site reports' permission)

Created on 24 May 2024, 7 months ago
Updated 25 May 2024, 7 months ago

Problem/Motivation

We'd like to make a custom View that uses data from the Entity Delete Log to share data with anonymous users, without giving anonymous users the 'View site reports' permission (as needed since the security fix in 1.1.1).

Steps to reproduce

Make (or duplicate) a Page View that uses this modules data, set the access permissions to 'Unrestricted'. The page will load for anonymous users, but they cannot see the (most recent) data.
Interestingly, they do get to see whatever data was last generated when an authorized user loaded the view, so there seems to be some caching of query results happening that can leak data to unauthorized users. Will generate a bug report for that.

Proposed resolution

Not sure what the best course of action is. Maybe a new permission that is specific to the Entity Delete Log module (instead of the more general 'View site reports' permission that introduces security risks)?

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Closed: works as designed

Version

1.1

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Ovquiaf
  • Status changed to Closed: works as designed 7 months ago
  • Sorry, ignore this feature request. I misunderstood the security fix; it is possible to make the view available for anonymous users by setting the access permissions of the view. The problem I'm having is that the contents of the view are not refreshed when I make a view that has broader access permissions. I'll file a bug report for this.

Production build 0.71.5 2024