#Security improvements

andypost → closed merge request !2210

@jibla, just update the above comment for DrushCaller. Since the allowlist categorization doesn’t seem so stable, I decided to make it a text area where the user can opt-in to allowed commands or use the * wildcard.

@gagosha
✅ 1. I see the permission.
✅ 2. I see user selection in token authentication.
✅ 3. Content types are disallowed by default.
❓4. Regarding drush - I don't see the granular form described, but the textarea. Is it how its intended to be used?

Rebased and fixed tests.

Hiding patch files

prudloff → changed the visibility of the branch 2846365-regression-user-roles to hidden.

prudloff → changed the visibility of the branch 11.x to hidden.

prudloff → changed the visibility of the branch 9.2.x to hidden.

prudloff → changed the visibility of the branch 2940879-dont-automatically-set to hidden.

prudloff → changed the visibility of the branch 11.x to hidden.

prudloff → changed the visibility of the branch 9.2.x to hidden.

I added and updated the patch from the private issue.
People from the "Fixed by" section of https://www.drupal.org/sa-core-2024-002 → should probably be credited.

It is now displayed here: https://github.com/drupal/drupal/security

I agree that we technically cover all code on git.drupalcode.org, if the project is opted into security advisory coverage and has stable release. So also recipes (https://new.drupal.org/browse/recipes) and general projects ( https://www.drupal.org/project/project-general → ).

We probably need to update the wording in https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett... → , but in the SA policy ( https://www.drupal.org/drupal-security-team/security-advisory-process-an... → ), the project types (modules, themes, distributions) are not explicitly mentioned and the policy is not restricted to these types.

@nicxvan re #28, not everything in that comment was addressed. I guess recipes don’t count? IMO this text shouldn’t cite specific project types.