Contrib.social

Entity Legal view exposes user acceptance data without permission checks

Open on Drupal.org β†’
Created on 6 May 2025, 9 days ago

Problem/Motivation

I’ve discovered a potential access control issue in the entity_legal contributed module.

The view defined in the config file views.view.legal_document_acceptances.yml exposes a list of legal document acceptances, including the following fields:

Document Version name
User name (of the user who accepted the document)
Acceptance status

This view does not implement any permission-based access control, meaning any user with access to the view route β€” potentially including anonymous users, depending on how it is enabled

Proposed resolution

Add an access configuration to the view to limit visibility based on user role.

πŸ› Bug report
Status

Active

Version

4.1

Component

Code

Created by

πŸ‡΅πŸ‡±Poland alorenc Wolsztyn, πŸ‡΅πŸ‡±

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @alorenc
  • @alorenc opened merge request.
  • Comment 9 days ago β†’
    πŸ‡΅πŸ‡±Poland alorenc Wolsztyn, πŸ‡΅πŸ‡±
  • Comment 8 days ago β†’
    πŸ‡­πŸ‡ΊHungary huzooka Hungary πŸ‡­πŸ‡ΊπŸ‡ͺπŸ‡Ί

    I was about RTBCing the MR, but I just noticed that the cache max age of the view was also changed from 0 (no caching) to -1 (cached permanently), so I'm leaving this to the maintainers; maybe they remember why they used 0 initially.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024