- Issue created by @prudloff
The "access security review list" permission allows seeing security check results, which can contain sensitive information about the website (path of unprotected folders, etc.).
The README correctly says:
NOTICE: This module provides information on the state of your site's security so
it is imperative you grant these permissions to trusted roles and users only.
For instance, if you have an admin role, be sure that all the users who have
been granted this role are indeed users you trust if you grant them these
permissions.
But in security_review.permissions.yml, these permissions don't have restrict access: true so Drupal doesn't know they are dangerous.
Add the "restrict access" flag to the "access security review list" permission.
(This has been discussed privately with the security team and it was decided it could be handled publicly.)
Active
3.1
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.