Problem/Motivation
The glossary view, shipped as part of views/node, is an optional configuration by default. The problem is that the view is missing a filter on the node status, so it can show unpublished node titles, which aren't meant for general consumption.
Steps to reproduce
* Install node and views
* Enable the glossary module
* Create some content which is unpublished
* You'll be able to see the content displayed in the glossary view.
Proposed resolution
Add a status filter by default and update any existing view, if its out there.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
The default glossary
view did not previously include a filter to exclude unpublished content. This view now includes such a filter by default, and an update function is provided with this release to add a status
filter to the view on existing installations which do not have it.
Comment | File | Size | Author |
---|---|---|---|
#22 | 3201393-22.8_9_x.patch | 3.45 KB | dww |
#21 | 3201393-21.patch | 3.37 KB | imalabya |
Comments
Comment #2
dawehnerAttached are two patches copied over from the other issue.
Comment #3
anmolgoyal74 CreditAttribution: anmolgoyal74 at OpenSense Labs for DrupalFit commentedRe-rolled.
Comment #5
imalabyaUpdated patch to fix tests.
Comment #7
jenlamptonAdding backport tags.
Comment #8
LendudeFresh export, lets see what this does
Comment #9
LendudeOther patch snuck some change in here, ignore #8
Comment #10
LendudeBit of a clean up
Comment #12
LendudeHuh, so assertEmpty doesn't allow unset indexes, weird....
Comment #13
Abhijith S CreditAttribution: Abhijith S as a volunteer and at Zyxware Technologies commentedApplied patch #12.The status filter is added by this patch.
Before patch;
After patch:
RTBC +1
Comment #14
dwwFix is simple (add the missing status to the default view).
There's an update path, with a test, so that's great.
Existing sites will end up with a default status filter on this view (as desired).
Code all looks clean and good. No code style violations or anything to complain about.
My only hesitations before RTBC are:
Otherwise, I think this is RTBC.
Thanks!
-Derek
Comment #15
LendudeThanks @dww.
#15.1 Release snippet makes sense, something to alert admins that their View might be showing a different result set now sounds great.
#15.2
\Drupal\Tests\node\Functional\Views\StatusExtraTest
is the somewhat weirdly named explicit test for this filter and it isless explicitly tested for example in
\Drupal\Tests\node\Functional\NodeAdminTest::testContentAdminPages
Comment #16
dwwThanks @Lendude,
As I mentioned in Slack,
\Drupal\Tests\node\Functional\Views\StatusExtraTest
is testing the fancystatus_extra
filter, the "Published or admin" thing. This issue is adding the regularstatus
filter, for only showing published nodes, even to admins. It's this second "simple" filter that I couldn't find any existing test coverage for, which is what's making me nervous.I'm also thinking that if it's worth the trouble to have an upgrade path test, it seems worth having explicit coverage (at least for access bypass bugs like this) for the default view itself. Maybe that's starting down a slippery slope. But if we're relying on default views to provide more and more functionality in core (yay), and those default views have access bypass bugs (boo), seems we should be adding test coverage as we go, to ensure that the views we ship are secure by default.
Comment #17
Lendude@dww yeah you are right about the tests being for the other filter. Did some more digging, and the filter we are adding is just the boolean filter plugin, which has
\Drupal\Tests\views\Kernel\Handler\FilterBooleanOperatorTest
, which does it's testing with a status field, so that seems pretty good.On testing the default Views, from a regression testing stand point I'd hope there would be no need. Any change we make to the View we would have to update our test coverage (so we are always just making our test match our config, so our test won't tell us anything) and if we break something and the test for this fails, I would expect (or at least hope) that some test for the component we broke would fail too. But I get your point, it does feel like something we'd want to make sure works. So, yeah, not sure either.
For this fix I'd opt we stick with what we currently do, and not have test coverage for default Views. If that is something we want, we should do it right and make a meta and add it for all of them.
Comment #18
dww@Lendude Thanks for the additional test digging! Your findings put my mind at ease. ;)
I'm also now convinced about your reasoning on the functional testing of the default views. If we want it (which is still an if), I agree it should be done properly via a meta and a real effort, not weirdly 1-off for this particular bug.
So, all concerns are addressed. #12 is RTBC for 9.2.x and 9.1.x branches.
I agree with the "Needs backport to D8" tag. This should probably land in 8.9.x branch, too. Adding the "Security improvements" tag since this is fixing an access bypass bug, as additional support for the backport.
#12 doesn't apply to 8.9.x (fuzz in
core/modules/node/node.post_update.php
) and the new test is using the 9.0.0 fixture which obviously doesn't exist in 8.9.x branch. ;) So at risk of confusing things, here's the 8.9.x backport, which is only resolving the fuzz and changing the test to use:and to annotate the test with
@group legacy
. That DB dump contains a bunch of things that trigger deprecation warnings if you run it locally without legacy:The rest of the 8.9.x tests in
core/modules/views/tests/src/Functional/Update
use@group legacy
, so I think that's the right thing. Would be great to have @Lendude confirm this backport is proper. ;)Thanks again!
-Derek
p.s. I only knew to review this from a post in #bugsmash, so tagging for that, too...
Comment #19
LendudeBackport looks good to me.
Something that just occurred to me, the Glossary View could have been deleted from an install, so we should probably check that the load worked and if not, bail early.
Comment #20
LendudeAdded the check for loading the View, also updated the setting we add in the update to match the actual config you have after exporting.
Comment #21
imalabyaMinor PHPCS error in the previously. Uploading a new one.
Comment #22
dww@Lendude re: #19: Good catch! Agreed that's better. Thanks.
@imalabya re: #21: Thanks! That's indeed the fix for the minor PHPCS error in #20. ;)
#21 is back to RTBC for 9.x branches.
Here's a fresh backport for 8.9.x. Interdiffs relative to previous 8.9.x patch (#18) and latest 9.x patch (#21).
Thanks, everyone!
-Derek
Comment #26
catchCommitted/pushed to 9.2.x, backported to 9.1.x and 8.9.x, also tagging for various release notes.
Comment #28
xjmFixing tag for intervening sec releases.