Contrib.social

Security: avaibility of endpoints according to islands

Open on Drupal.org →
Created on 25 September 2025, about 1 month ago
Updated 27 September 2025, about 1 month ago

Problem/Motivation

Following 📌 Security: Set Instance access handler Active where InstanceAccessControlHandler checks

  • if the user has the permission to use the current profile
  • if the user has the permission to update the current display

The first checks (about the current profile) is not enough, we need to also check each ApiController endpoint according to the island activated in the profile.

Proposed resolution

We don't do checks for "safe" endpoints:

  • display_builder.api_get

We do checks for unsafe endpoints:

  • display_builder.api_root_attach available only if BuilderPanel or LayersPanel island
  • display_builder.api_slot_attach available only if BuilderPanel or LayersPanel island
  • display_builder.api_update available only if BuilderPanel or LayersPanel island is activated
  • display_builder.api_paste available only if Menu island is activated
  • display_builder.api_duplicate available only if Menu island is activated
  • display_builder.api_delete available only if MenuDelete island is activated
  • display_builder.api_save_preset available only if MenuPreset island is activated
  • display_builder.api_third_party_settings_update only if UiSkinsPanel, UiStylesPanel or VisibilityConditionsPanel. Do we need to be more precise and check each panel differently?
  • display_builder.api_undo available only if HistoryButtons island is activated
  • display_builder.api_redo available only if HistoryButtons island is activated
  • display_builder.api_save available only if StateButtons island is activated
  • display_builder.api_restore available only if StateButtons island is activated
  • display_builder.api_revert available only if StateButtons island is activated
  • display_builder.api_clear available only if HistoryButtons island is activated with clear button activated
  • display_builder.api_sse available only if Collaboration island is activated

Do we need to add a method to IslandInterface? in order to get the list of endpoints allowed by each island.

Then, we can loop on activated islands and build the union of endpoints allowed by all activated islands.

📌 Task
Status

Active

Version

1.0

Component

Main / Misc.

Created by

🇫🇷France pdureau Paris

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

No activities found.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024