Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
filter.routing.yml uses permissions to perform access control on routes instead of _entity_access. This bypasses filter entities' access controller and hook_entity_access() and variants, and is therefore a potential security flaw.
This issue CANNOT be committed until #2095693: FilterFormatAccessController always grants access for any operation on the fallback format is, or we will have introduced an actual security bug.
Comment | File | Size | Author |
---|---|---|---|
#26 | interdiff.txt | 1.38 KB | Xano |
#26 | drupal_2101119_26.patch | 9.03 KB | Xano |
Comments
Comment #1
XanoThe patch replaces _permission with _entity_access and _entity_create_access for routes that want to perform entity operations. It cleans up the access controller and provides proper access control for the
disable
operation. Consequently it also removes the access check that was used for the route that disables formats.Comment #3
XanoI forgot to mention that because of the security implications, I made sure this patch depends on #2095693: FilterFormatAccessController always grants access for any operation on the fallback format.
Comment #4
Xano#1: drupal_2101119_1.patch queued for re-testing.
Comment #5
Xano#1: drupal_2101119_1.patch queued for re-testing.
Comment #7
XanoRe-roll.
Comment #8
tim.plunkettIt turns out this is redundant. FilterFormat::getPermissionName() checks isFallbackFormat() already. Restoring the previous !empty() check from before.
Also quoting the access bits like we do elsewhere.
Comment #9
XanoI know it is redundant, but it makes much more sense when reading the code. getPermission() should IMHO also return a permission string at all times, even if it is for a fallback format.
Comment #11
Xano8: filter-2101119-8.patch queued for re-testing.
Comment #13
sunThis looks a bit scary to me...
Is a text format really "viewed" when being presented in a text field widget? (No, it is not.)
Or isn't a text format much rather "viewed" when being listed on the administrative overview page that lists all available text formats?
→ I think we need to make a differentiation between "use" and "view".
Given recent entity access/operation API improvements, it might be much more simple now to introduce a new operation/access model of "use"?
Comment #14
XanoRe-roll, and I introduced the
use
operation per sun's request.Comment #16
XanoComment #18
XanoComment #20
XanoComment #21
Xano20: drupal_2101119_20.patch queued for re-testing.
Comment #22
sunThanks, @Xano! — This looks good to me.
Somehow I assumed/hoped that a new access operation would have to be registered somewhere (so that available operations can be discovered and introspected by other services and developers), but based on this patch, that doesn't appear to be the case yet.
I also wondered whether the "administer filters" permission still kicks in somewhere, but I assume the "admin_permission" on the
FilterFormat
entity class annotation is automagically used and validated by the config entity system.Comment #23
tim.plunkettYep, the parent::checkAccess call uses the admin_permission annotation, see EntityAccessController::checkAccess
+1 for RTBC
Comment #24
catchPatch removes 'view' from almost everywhere, but not here. I realise this is just punting it to the parent, but is 'view' even used any more? If it's not, I'm not really convinced about the view/use change - leaves view hanging with no purpose at all, and this feels like an issue for most configuration entities.
Comment #25
tim.plunkettThis also removes the only place that _filter_disable_format_access is used, so the access_check.filter_disable service and corresponding Drupal\filter\Access\FormatDisableCheck class can be removed.
Comment #26
XanoYou're right. I removed
view
from the access controller.The patch already did that?
Comment #27
tim.plunkettI must have accidentally clicked on another patch, I was just staring at FormatDisableCheck for another reason and thought I'd make a note here.
Thanks @Xano!
Comment #29
Xano26: drupal_2101119_26.patch queued for re-testing.
Comment #30
Désiré CreditAttribution: Désiré commentedComment #31
Désiré CreditAttribution: Désiré commented26: drupal_2101119_26.patch queued for re-testing.
Comment #32
XanoComment #33
Désiré CreditAttribution: Désiré commented26: drupal_2101119_26.patch queued for re-testing.
Comment #34
XanoRTBC patches no longer have to be re-tested manually: https://qa.drupal.org/node/228
Comment #36
Xano26: drupal_2101119_26.patch queued for re-testing.
Comment #37
XanoRandom test failure? Back to RTBC.
Comment #39
Xano26: drupal_2101119_26.patch queued for re-testing.
Comment #40
XanoRTBC'ing per #27 and #37.
Comment #42
XanoThe tests fail because HEAD is broken.
Comment #43
tstoeckler26: drupal_2101119_26.patch queued for re-testing.
Comment #44
catchCommitted/pushed to 8.x, thanks!