Followup of #1984528: Follow-up: Allow for more robust access checking, we have to replace ANY with ALL

Problem/Motivation

If a route needs several access checkers it currently uses an OR/ANY logic to concat them.
Developers though expect it to be ALL/AND by default

Proposed resolution

Switch the default to ALL, and check potential issues.

API changes

CommentFileSizeAuthor
#47 2063401-47.patch12.35 KBdamiankloip
#41 2063401-41.patch12.88 KBdamiankloip
#41 interdiff-2063401-41.txt794 bytesdamiankloip
#37 access-2063401-37.patch12.59 KBdawehner
#32 routing-2063401-32.patch12.59 KBdawehner
#32 interdiff.txt6.2 KBdawehner
#30 access_module-2063401-30.patch12.53 KBdawehner
#30 interdiff.txt6.2 KBdawehner
#27 access_mode-2063401-27.patch6.81 KBtim.plunkett
#27 interdiff.txt1.25 KBtim.plunkett
#20 access-2063401-20.patch5.56 KBdawehner
#3 access-2063401-3.patch5.53 KBdawehner
#3 interdiff.txt1.11 KBdawehner
#1 access-2063401-1.patch4.42 KBdawehner

Comments

dawehner’s picture

dawehner
Primary language German
commented
Status: Active » Needs review
StatusFileSize
new access-2063401-1.patch4.42 KB

Let's see how much breaks if ANY/ALL is switched.

Status: Needs review » Needs work

The last submitted patch, access-2063401-1.patch, failed testing.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review
StatusFileSize
new interdiff.txt1.11 KB
new access-2063401-3.patch5.53 KB

This should fix the failures.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Needs review » Needs work
Issue tags: +DrupalWTF, +WSCCI 
+++ b/core/modules/rest/lib/Drupal/rest/Plugin/ResourceBase.php
@@ -92,6 +92,8 @@ public function routes() {
         // The HTTP method is a requirement for this route.
         '_method' => $method,
         '_permission' => "restful $lower_method $this->pluginId",
+      ), array(
+        '_access_mode' => 'ANY',
       ));

Is this really correct?

Shouldn't this be ALL and be only dependent on _permission?

I'm not familiar with the REST module code, but I see there's access checks happening on _method as well. Though it shouldn't apply here because _access_rest_csrf isn't set. I'm not aware of the full scope of what's happening, but in any case, ANY seems wrong.

If I'm wrong, care to explain why? :)

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Needs work » Needs review

Didn't mean to mark this NW.

dawehner’s picture

dawehner
Primary language German
commented

linking because of pure lazyness: #2063405: Update all access checkers to use static::ALLOW/static::DENY/static::KILL

Crell’s picture

Crell commented

_method is not enforced by an access checker but by UrlMatcher. _access_mode is entirely irrelevant for that.

dawehner’s picture

dawehner
Primary language German
commented

Tried to debug that problem with more depth:

First note: 

[3]
access_check.rest.csrf
access_check.permission
access_check.rest.csrf

It feels wrong to have rest.csrf twice on there.

We are doing a POST request here, so the CSRFAccessChecker will return NULL (as they don't make sense on POST). As NULL is considered to break on the ALL case, we seem to need ANY here?

dawehner’s picture

dawehner
Primary language German
commented
Issue tags: -DrupalWTF, -WSCCI

#3: access-2063401-3.patch queued for re-testing.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

#3: access-2063401-3.patch queued for re-testing.

dawehner’s picture

dawehner
Primary language German
commented

#3: access-2063401-3.patch queued for re-testing.

dawehner’s picture

dawehner
Primary language German
commented
Issue tags: +DrupalWTF, +WSCCI

#3: access-2063401-3.patch queued for re-testing.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

How do we move this forward? Who is the most appropriate person to review this?

dawehner’s picture

dawehner
Primary language German
commented

Maybe damian well react to the message left on druplicon :) Crell is out of chicago for quite a long time, as far as I remember

Crell’s picture

Crell commented
Status: Needs review » Reviewed & tested by the community

Fortunately I brought my laptop with me to Minneapolis. :-)

damiankloip’s picture

damiankloip commented

I was confused about Daniel's comment in #8. I guess that's not actually an issue anymore then? :)

Otherwise, +1 on this.

dawehner’s picture

dawehner
Primary language German
commented

I was confused about Daniel's comment in #8. I guess that's not actually an issue anymore then? :)

Not that I think of. The problem is that you would expect it to be all, maybe, but change the beaviour to 'ALL' is out of scope of this issue.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented

#3: access-2063401-3.patch queued for re-testing.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs reroll

Patch no longer applies.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
StatusFileSize
new access-2063401-20.patch5.56 KB

Here is a rerole.

damiankloip’s picture

damiankloip commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs reroll

And back again.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: -Needs reroll

d.o tag monster

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Issue tags: -DrupalWTF, -WSCCI

#20: access-2063401-20.patch queued for re-testing.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, access-2063401-20.patch, failed testing.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review

#20: access-2063401-20.patch queued for re-testing.

Status: Needs review » Needs work
Issue tags: +DrupalWTF, +WSCCI, +Needs reroll

The last submitted patch, access-2063401-20.patch, failed testing.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
StatusFileSize
new interdiff.txt1.25 KB
new access_mode-2063401-27.patch6.81 KB

Two of the recent additions needed ANY.

Status: Needs review » Needs work

The last submitted patch, access_mode-2063401-27.patch, failed testing.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

I would've expected this patch to also kill all of the unnecessary "ALL"s. Is that possible?

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review
StatusFileSize
new interdiff.txt6.2 KB
new access_module-2063401-30.patch12.53 KB

This could be it.

Status: Needs review » Needs work

The last submitted patch, access_module-2063401-30.patch, failed testing.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review
StatusFileSize
new interdiff.txt6.2 KB
new routing-2063401-32.patch12.59 KB

Ups.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Toronto, Canada
commented
Status: Needs review » Reviewed & tested by the community

#29 is addressed so back to RTBC.

dawehner’s picture

dawehner
Primary language German
commented
Issue tags: -DrupalWTF, -WSCCI

#32: routing-2063401-32.patch queued for re-testing.

Status: Reviewed & tested by the community » Needs work
Issue tags: +DrupalWTF, +WSCCI

The last submitted patch, routing-2063401-32.patch, failed testing.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Toronto, Canada
commented
Issue tags: +Needs reroll

needs reroll after #2089671: Convert non-test form callbacks to new form controller

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
StatusFileSize
new access-2063401-37.patch12.59 KB

Just an ordinary reroll.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs review » Reviewed & tested by the community

Moving back to RTBC, since that's where it was before testbot failed it.

dawehner’s picture

dawehner
Primary language German
commented

Cool!

Status: Reviewed & tested by the community » Needs work

The last submitted patch, access-2063401-37.patch, failed testing.

damiankloip’s picture

damiankloip commented
Status: Needs work » Needs review
StatusFileSize
new interdiff-2063401-41.txt794 bytes
new 2063401-41.patch12.88 KB

Just one missing in the ContentTranslationRouteSubscriber I think. This is when you have to love test coverage.

damiankloip’s picture

damiankloip commented

This should go back to RTBC if/when this passes.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Reviewed & tested by the community

Good catch!

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented

#41: 2063401-41.patch queued for re-testing.

pwolanin’s picture

pwolanin commented

+1 from me too.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs reroll

Patch no longer applies.

damiankloip’s picture

damiankloip commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
StatusFileSize
new 2063401-47.patch12.35 KB

rerolled. The hunk from router_test.routing.yml is already in HEAD:

+  options:
+    _access_mode: 'ANY'
dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Reviewed & tested by the community

Thank you for the reroll!

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Title: Replace the default _access_checks(access mode) with ALL instead of ANY » Change notice: Replace the default _access_checks(access mode) with ALL instead of ANY
Priority: Normal » Major
Status: Reviewed & tested by the community » Active
Issue tags: +Needs change record

Awesome, thank you SO much for this patch!

Committed and pushed to 8.x. Thanks!

Needs a change notice.

dawehner’s picture

dawehner
Primary language German
commented
Status: Active » Needs review

https://drupal.org/node/1851490/revisions/view/2868379/2870151
https://drupal.org/node/2107991

jibran’s picture

jibran
he/him
Primary language Urdu
Location Toronto, Canada
commented
Title: Change notice: Replace the default _access_checks(access mode) with ALL instead of ANY » Replace the default _access_checks(access mode) with ALL instead of ANY
Priority: Major » Normal
Status: Needs review » Fixed
Issue tags: -Needs change record

Fixed the change notice title and added some examples.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

jibran++

Automatically closed -- issue fixed for 2 weeks with no activity.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Issue summary: View changes

Oops, this change caused a security issue in rest.module: #2420559: REST permissions are not working as expected..

dawehner’s picture

dawehner
Primary language German
commented

@klausi
Common misconception though of these patches.