Access bypass when creating a new content translation

Created on 17 March 2025, 21 days ago

Problem/Motivation

This was originally reported as a security issue but then deemed ok to be fixed in public.

When creating a translation you can pick a source translation if even if you don't have access it, i.e. the translation is unpublished. This lets you see all accessible fields.

Proposed resolution

Don't list inaccessible translation as source candidates in the selector.
Don't populate field values from inaccessible fields/translations when building the edit/translation form.

Remaining tasks

Validate the proposed solution
Post a MR
Perform reviews

User interface changes

None

API changes

None foreseen

Data model changes

None foreseen

Release notes snippet

TBD

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

content_translation.module

Created by

🇮🇹Italy plach Venezia

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @plach

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024