Determine if names of unviewable entities in cache tags of /xb/api/v0/auto-saves/pending is information disclosure

Open on Drupal.org →

Created on 11 July 2025, 2 days ago

Overview

In 🐛 Pending changes leaking entities that user might have no access to Active @larowlan wondered if the fact that the route /xb/api/v0/auto-saves/pending returns cache tag 'config:experience_builder.page_region.stark.highlighted', even though the user does not have view access and therefore the auto-save for that region entity is NOT returned in the list could be considered "information disclosure". The user would know this region has pending changes.

This shown in the test \Drupal\Tests\experience_builder\Kernel\ApiAutoSaveControllerTest::testGetOmitsNotAccessibleEntities

It also shows that cache tag 'config:experience_builder.js_component.test_code', is returned even though the user won't see the component in their list of changes to review.

It would not be great if the user could determine that a JS Component like 'config:experience_builder.js_component.going_out_business_banner', was pending.

Proposed resolution

Determine if this is actually information disclosure and if so figure out how to avoid it.

User interface changes

🐛 Bug report

Status

Active

Version

0.0

Component

Auto-save

Created by

🇺🇸United States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.

stable blocker

Sign in to follow issues

Comments & Activities

Issue created by @tedbow
Comment 2 days ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
tedbow → credited larowlan → .
Comment 2 days ago →
🇺🇸United States tedbow Ithaca, NY, USA
Comment 2 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Interesting … 🤔

Idea: what if for any inaccessible entity, we replace the entity's individual (unique) cache tag with that entity's type's list cache tag (\Drupal\Core\Entity\EntityType::getListCacheTags(), and if a bundleable entity type: \Drupal\Core\Entity\EntityType::getBundleListCacheTags())?

Looking at \Drupal\Tests\jsonapi\Functional\ResourceTestBase::testCollection(), that also only discloses the list cache tag.
Comment 2 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Comment about 16 hours ago →
🇫🇮Finland lauriii Finland
I think normal task is correct prioritization for this. Therefore, I don't think this can be considered to be a stable blocker.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024