Overview

In #3535221: Pending changes leaking entities that user might have no access to @larowlan wondered if the fact that the route /xb/api/v0/auto-saves/pending returns cache tag 'config:experience_builder.page_region.stark.highlighted', even though the user does not have view access and therefore the auto-save for that region entity is NOT returned in the list could be considered "information disclosure". The user would know this region has pending changes.

This shown in the test \Drupal\Tests\experience_builder\Kernel\ApiAutoSaveControllerTest::testGetOmitsNotAccessibleEntities

It also shows that cache tag 'config:experience_builder.js_component.test_code', is returned even though the user won't see the component in their list of changes to review.

It would not be great if the user could determine that a JS Component like 'config:experience_builder.js_component.going_out_business_banner', was pending.

Proposed resolution

Determine if this is actually information disclosure and if so figure out how to avoid it.

User interface changes

Comments

tedbow created an issue. See original summary.

tedbow credited larowlan.

tedbow’s picture

wim leers’s picture

Issue tags: +D8 cacheability

Interesting … 🤔

Idea: what if for any inaccessible entity, we replace the entity's individual (unique) cache tag with that entity's type's list cache tag (\Drupal\Core\Entity\EntityType::getListCacheTags(), and if a bundleable entity type: \Drupal\Core\Entity\EntityType::getBundleListCacheTags())?

Looking at \Drupal\Tests\jsonapi\Functional\ResourceTestBase::testCollection(), that also only discloses the list cache tag.

wim leers’s picture

Category: Bug report » Task
lauriii’s picture

Issue tags: -stable blocker

I think normal task is correct prioritization for this. Therefore, I don't think this can be considered to be a stable blocker.

Project: Experience Builder » Drupal Canvas
Version: 0.x-dev » 1.x-dev

Experience Builder has been renamed to Drupal Canvas in preparation for its beta release. You can now track issues on the new project page.