Change access to Lagoon logs settings UI [#3240629]

Problem/Motivation

I think "Administer content" permission should not be used on a UI that is not related to content anyhow. If the Lagoon logs UI would also allow changing configuration, not just viewing them, this could be a security issue. Currently, it only exposes information that possibly cannot be leveraged anyhow, this is the reason why I am reporting this here.

https://git.drupalcode.org/project/lagoon_logs/-/blob/8.x-1.1/lagoon_log...

Steps to reproduce

Ideas:
* Introduce a dedicated permissions
* Move this information to the admin/reports/status page

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork lagoon_logs-3240629

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3240629_CHANGEPERMS changes, plain diff MR !6
Check out this branch
8.x-1.x changes, plain diff MR !5
Check out this branch

1 hidden branch

3240629-change-access-to

changes, plain diff MR !4

Check out this branch

About issue forks

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

4 October 2021 at 13:51

mxr576 created an issue. See original summary.

Comment #2

Kristen Pol

she/her

English

Santa Cruz, CA, USA

CreditAttribution: Kristen Pol at Itty Bitty Byte for Salsa Digital commented 13 October 2021 at 02:39

I agree with this. I was surprised by this permission being used and was going to create an issue if there wasn't already one. But here it is :)

Easy fix could be to at least change this to Administer site configuration for now.

Comment #3

bomoko CreditAttribution: bomoko at amazee.io commented 20 October 2021 at 23:11

Yeah, I think this was probably a copy-pasta issue in the early early dev of this module - we actually has a settings page that allowed some config settings, but it was scrapped, and this page and route is a kind of vestigial artifact.

Totally agree, though - I think just changing to Administer Site Configuration is the simplest.

Issue #3240629 by bomoko, mxr576, Kristen Pol: Change access to Lagoon...

Comment #9

bomoko CreditAttribution: bomoko at amazee.io commented 20 October 2021 at 23:11

Thanks all - I'll consider this closed for the moment with the Perms update.

Comment #10

bomoko CreditAttribution: bomoko commented 13 October 2021 at 04:10

Status:

Active

» Fixed

Comment #11

Kristen Pol

she/her

English

Santa Cruz, CA, USA

CreditAttribution: Kristen Pol at Itty Bitty Byte for Salsa Digital commented 13 October 2021 at 04:19

Fast! Thanks :)

Comment #12

27 October 2021 at 04:24

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Change access to Lagoon logs settings UI

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork lagoon_logs-3240629

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community