Following log entries are visible, even when the role the user belongs to has no access:

  • admin/logs
  • admin/logs/watchdog
  • admin/logs/search
  • admin/logs/access-denied
  • admin/logs/page-not-found

Comments

flk’s picture

flk commented

I cant seem to reproduce this bug on 5.1

I have tested it on 2 different role types both with no access to logs...got access denied on both occassions

chx’s picture

chx commented
Status: Active » Closed (won't fix)

Then there is nothign to fix.

flk’s picture

flk commented
Status: Closed (won't fix) » Active

I cant seem to reproduce this bug on 5.1

I have tested it on 2 different role types both with no access to logs...got access denied on both occassions

flk’s picture

flk commented
Status: Active » Closed (won't fix)

damn refreshed browser by accident

Anonymous’s picture

Anonymous (not verified) commented
Status: Closed (won't fix) » Active

In order to reproduce this bug:
Create a user with access "administration pages" rights but without "access statistics".

The logs that are visible:
Recent log entries
Top 'access denied' errors
Top 'page not found' errors
Top search phrases

bonobo’s picture

bonobo commented
Priority: Critical » Normal

Changing status --

While this appears to be a bug, this is not a showstopper -- if a user has been placed in a role with rights to the admin pages, it implies a level of trust that goes beyond what could be compromised by viewing these user stats --

Anonymous’s picture

Anonymous (not verified) commented

I agree it is not a showstopper.
But, bugs in the access control system should be treated as critical anyway.

if a user has been placed in a role with rights to the admin pages, it implies a level of trust that goes beyond what could be compromised by viewing these user stats
That is not documented and therefore misleading. If Drupals was set up with these kind of implications that are going cross the system, how would one understand what is going on!

ricabrantes’s picture

ricabrantes commented

Any news but this??

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Active » Closed (won't fix)

Statistics module is actually not at fault here, all the separate modules that add subpages to admin/logs are. Please file separate issues for:
search.module (admin/logs/search)
watchdog.module (admin/logs/watchdog, admin/logs/access-denied, admin/logs/page-not-found)