Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
"Manage payment methods" permissions needs to have a warning for anonymous checkbox warning of the security issues that can result from being checked.
If admins check the permissions box for anonymous users to be able to manage payment methods (which could be checked by someone believing that for anonymous checkouts, this is necessary) results in a page with everyone who has ever checked out anonymously's last four of their credit card numbers and name etc. for all the world to see at www.yoursite.com/user/0/payment-methods
The permissions page interface should have a warning that checkin this box is NOT A GOOD IDEA. Furthermore, it shouldn't even be an option in my opinion.
Comment | File | Size | Author |
---|---|---|---|
#5 | 3218783-5.patch | 2.56 KB | jsacksick |
| |||
#5 | 3218783-5-tests-only.patch | 1.8 KB | jsacksick |
Comments
Comment #2
jsacksick CreditAttribution: jsacksick at Centarro commentedSure we can add:
Thought.. It's probably not the right fix as it's a security problem only when granting this to anonymous users...
Perhaps PaymentMethodAccessCheck needs to be updated to grant access, only for authenticated users, regardless of the permission...
From:
To :
Comment #3
jsacksick CreditAttribution: jsacksick at Centarro commentedAttaching a failing test + another patch that has the fix + the test.
Comment #4
jsacksick CreditAttribution: jsacksick at Centarro commentedUpdated test that also ensures that granting the "administer commerce_payment_method" doesn't give access to the page for managing payment methods.
Comment #5
jsacksick CreditAttribution: jsacksick at Centarro commentedComment #7
jsacksick CreditAttribution: jsacksick at Centarro commentedCommitted the fix, thanks for the report.
Comment #8
jsacksick CreditAttribution: jsacksick at Centarro commentedComment #10
matthewmack CreditAttribution: matthewmack commentedHey Jack,
Thanks so much for taking time for this.
Comment #11
matthewmack CreditAttribution: matthewmack commented