Problem/Motivation

views.routing.yml uses permissions to perform access control on routes instead of _entity_access. This bypasses view entities' access controller and hook_entity_access() and variants, and is therefore a potential security flaw.

Proposed resolution

Convert all entity-based routes' access requirements to entity access.

Remaining tasks

None.

User interface changes

None.

API changes

None.

CommentFileSizeAuthor
#1 drupal_2200229_1.patch4.91 KBXano
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Status: Active » Needs review
FileSize
drupal_2200229_1.patch4.91 KB

Status: Needs review » Needs work

The last submitted patch, 1: drupal_2200229_1.patch, failed testing.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented

The test failure is caused by #2200333: content_translation_view_access() is invoked as a hook_ENTITY_TYPE_access() hook implementation.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Status: Needs work » Needs review

1: drupal_2200229_1.patch queued for re-testing.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Issue summary: View changes
Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented

1: drupal_2200229_1.patch queued for re-testing.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +VDC

+1

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed 
+++ b/core/modules/views_ui/views_ui.routing.yml
@@ -12,7 +12,7 @@ views_ui.add:
-    _permission: 'administer views'
+    _entity_create_access: view

@@ -78,7 +78,7 @@ views_ui.delete:
-    _permission: 'administer views'
+    _entity_access: view.delete

Hm. That seems very weird that we have both _entity_access and _entity_create_access, but this is a HEAD thing, not a this patch thing.

Committed and pushed to 8.x. Thanks!

  • Commit c9711dc on 8.x by webchick: 
    Issue #2200229 by Xano: Use entity access for Views UI routes.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.