In #3535221: Pending changes leaking entities that user might have no access to @larowlan wondered if the fact that the route /xb/api/v0/auto-saves/pending returns cache tag 'config:experience_builder.page_region.stark.highlighted', even though the user does not have view access and therefore the auto-save for that region entity is NOT returned in the list could be considered "information disclosure". The user would know this region has pending changes.
This shown in the test \Drupal\Tests\experience_builder\Kernel\ApiAutoSaveControllerTest::testGetOmitsNotAccessibleEntities
It also shows that cache tag 'config:experience_builder.js_component.test_code', is returned even though the user won't see the component in their list of changes to review.
It would not be great if the user could determine that a JS Component like 'config:experience_builder.js_component.going_out_business_banner', was pending.
Determine if this is actually information disclosure and if so figure out how to avoid it.
Comments
Comment #3
tedbowComment #4
wim leersInteresting … 🤔
Idea: what if for any inaccessible entity, we replace the entity's individual (unique) cache tag with that entity's type's list cache tag (
\Drupal\Core\Entity\EntityType::getListCacheTags(), and if a bundleable entity type:\Drupal\Core\Entity\EntityType::getBundleListCacheTags())?Looking at
\Drupal\Tests\jsonapi\Functional\ResourceTestBase::testCollection(), that also only discloses the list cache tag.Comment #5
wim leersComment #6
lauriiiI think normal task is correct prioritization for this. Therefore, I don't think this can be considered to be a stable blocker.