Protect unpublished security advisories as much as possible

Open on Drupal.org →

Created on 10 September 2024, 3 months ago

Updated 16 September 2024, 3 months ago

With issues moving to GitLab, security.drupal.org will be wound down. Security advisory drafting can move to Drupal.org itself, eliminating the copy SA to www.drupal.org chore on coordinated release. This will however increase the exposure of unpublished advisories to various roles which can view unpublished content.

www.drupal.org does not have a node access module to control listings, but we can limit what is viewable.

Node view - on viewing unpublished security advisory nodes, hide the page content unless someone has the update security release types permission or is a maintainer of the advisory’s project. Use field access API to also remove from API requests.

Node listings - the best I can think of is setting the title to something generic until the advisory is published. The title is already machine-generated toward the end of _drupalorg_sa_validate(), so that is a good start.

Refactor the existing title generation out into a separate function for later, like _drupalorg_sa_title().
If the advisory is unpublished, do not call that new function, set the title to “Draft security advisory” instead.
If the advisory is published, call the function and have it set as before.
On node view, if the user has access, drupal_set_title(_drupalorg_sa_title()), so people can see what the title will be.

✨ Feature request

Status

Active

Version

3.0

Component

Security advisories

Created by

🇺🇸United States drumm NY, US

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!287Protect unpublished security advisories as much as possible
Merged
🇺🇸United States B_man
updated 3 months ago

Comments & Activities

Issue created by @drumm
First commit to issue fork.
Assigned to B_man
Comment 3 months ago →
🇺🇸United States B_man California, USA
Merge request !287Refactor SA title creation into it's own function, hide fields on SAs unless a... → (Merged) created by B_man
Pipeline finished with Skipped
3 months ago
#298364
Comment 3 months ago →
System Message

drumm → committed e875b760 on 7.x-3.x authored by b_man →
Issue #3473445: Protect unpublished security advisories as much as...
Comment 3 months ago →
🇺🇸United States drumm NY, US
This is now deployed. This ended up being a protection for the unpublished node titles that site moderators can see. The SA content itself was already only accessible to security team members until published.
Comment 2 months ago →
System Message

drumm → committed e875b760 on remove-org-credits-view-access-control authored by b_man →
Issue #3473445: Protect unpublished security advisories as much as...
Comment about 2 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024