Contrib.social

Notify the developer if #access is anything other than an allowed boolean or access result object.

Open on Drupal.org →
Created on 23 May 2025, about 2 months ago

Problem/Motivation

Currently if a form element contains an invalid #access value, it will be silently evaluated to a boolean.
This could make some security bugs hard to detect.

Steps to reproduce

Add something like this to a form element:

'#access' => new \stdClass(),

The form element is displayed and processed.

Proposed resolution

We could log a warning if the value is not a boolean or an AccessResultInterface object.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Feature request
Status

Active

Version

11.0 🔥

Component

forms system

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024