- 🇬🇪Georgia gagosha
@jibla, just update the above comment for DrushCaller. Since the allowlist categorization doesn’t seem so stable, I decided to make it a text area where the user can opt-in to allowed commands or use the * wildcard.
- 🇬🇪Georgia jibla
@gagosha
✅ 1. I see the permission.
✅ 2. I see user selection in token authentication.
✅ 3. Content types are disallowed by default.
❓4. Regarding drush - I don't see the granular form described, but the textarea. Is it how its intended to be used? - 🇫🇷France prudloff Lille
prudloff → changed the visibility of the branch 2846365-regression-user-roles to hidden.
- @prudloff opened merge request.
- 🇫🇷France prudloff Lille
prudloff → changed the visibility of the branch 11.x to hidden.
- 🇫🇷France prudloff Lille
prudloff → changed the visibility of the branch 9.2.x to hidden.
- First commit to issue fork.
- 🇫🇷France prudloff Lille
prudloff → changed the visibility of the branch 2940879-dont-automatically-set to hidden.
- @prudloff opened merge request.
- 🇫🇷France prudloff Lille
prudloff → changed the visibility of the branch 11.x to hidden.
- 🇫🇷France prudloff Lille
prudloff → changed the visibility of the branch 9.2.x to hidden.
- First commit to issue fork.
- First commit to issue fork.
- 🇫🇷France prudloff Lille
I added and updated the patch from the private issue.
People from the "Fixed by" section of https://www.drupal.org/sa-core-2024-002 → should probably be credited. - @prudloff opened merge request.
- 🇫🇷France prudloff Lille
It is now displayed here: https://github.com/drupal/drupal/security
- 🇸🇰Slovakia poker10
I agree that we technically cover all code on git.drupalcode.org, if the project is opted into security advisory coverage and has stable release. So also recipes (https://new.drupal.org/browse/recipes) and general projects ( https://www.drupal.org/project/project-general → ).
We probably need to update the wording in https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett... → , but in the SA policy ( https://www.drupal.org/drupal-security-team/security-advisory-process-an... → ), the project types (modules, themes, distributions) are not explicitly mentioned and the policy is not restricted to these types.
@nicxvan re #28, not everything in that comment was addressed. I guess recipes don’t count? IMO this text shouldn’t cite specific project types.
- Issue created by @prudloff