Contrib.social

Replace bypass node access for security team

Open on Drupal.org β†’
Created on 19 March 2025, about 1 month ago

Problem/Motivation

Since new.drupal.org was launched on a deadline with many contributors, we audited permissions on the site before opening up SSO to all Drupal.org users. During this, we discovered things that could have been done better in D7. The security team role has β€œbypass node access” which is an overpowered permission.

Proposed resolution

The security team role will retain Administer content, so most node access will remain. What will be missing is access to unpublished nodes. They will need access to unpublished:

  • security advisories for drafting security advisories
  • releases for coordinated publishing
  • issues for misreported security issues
  • (Projects are not unpublished in general, unless they have been caught in spam filters, so that access should not be needed)
πŸ“Œ Task
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States drumm NY, US

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024