Should not be able to bypass sitewide user form

Open on Drupal.org →

Created on 18 July 2025, 9 days ago

Problem/Motivation

The sitewide user form can be bypassed by calling the submission route and passing a query parameter.

Proposed resolution

The user account form and the sitewide account form should have separate submission routes, each with their own permission requirements. this way no one can bypass by passing a query parameter to the route.

🐛 Bug report

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States MegaKeegMan

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!6Should not be able to bypass sitewide user form
Merged
🇺🇸United States MegaKeegMan
updated 9 days ago

Comments & Activities

Issue created by @MegaKeegMan
Merge request !6Issue #3536904: Should not be able to bypass sitewide user form → (Merged) created by MegaKeegMan
Comment 9 days ago →
🇺🇸United States MegaKeegMan
Comment 9 days ago →
🇺🇸United States MegaKeegMan
I have tested that authorization continues to work on both forms
Comment 9 days ago →
System Message

megakeegman → committed 49afe000 on 3.0.x
Issue #3536904: Should not be able to bypass sitewide user form
Comment 9 days ago →
🇺🇸United States MegaKeegMan
Comment 9 days ago →
🇺🇸United States MegaKeegMan

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024