Automatically closed - issue fixed for 2 weeks with no activity.
- ππΊHungary mxr576 Hungary
if there is missing entity access check
in \Drupal\Core\Entity\Plugin\EntityReferenceSelection\DefaultSelection::getReferenceableEntities() - because it seems it only relies on query level access checking...Indeed, that is the reason.
- π·π΄Romania claudiu.cristea Arad π·π΄
@penyaskito but it's still username enumeration, right?
- ππΊHungary mxr576 Hungary
Hm, reminder to me to check if there is missing entity access check
in\Drupal\Core\Entity\Plugin\EntityReferenceSelection\DefaultSelection::getReferenceableEntities()
- because it seems it only relies on query level access checking... - and that could be a reason why the "Author" autocomplete works interesting in node edit form when View Usernames and friends are enabled. - πͺπΈSpain penyaskito Seville π, Spain πͺπΈ, UTC+2 πͺπΊ
@claudiu.cristea #43 Those are behind a secret based on the salt. See
\Drupal\Core\Entity\Element\EntityAutocomplete::processEntityAutocomplete
and\Drupal\system\Controller\EntityAutocompleteController::handleAutocomplete
$selection_settings_key
argument. - ππΊHungary mxr576 Hungary
... and now these modules are also available in Recipes.
https://www.drupal.org/project/user_privacy_core β
https://www.drupal.org/project/user_privacy_cms β