Problem/Motivation
I think "Administer content" permission should not be used on a UI that is not related to content anyhow. If the Lagoon logs UI would also allow changing configuration, not just viewing them, this could be a security issue. Currently, it only exposes information that possibly cannot be leveraged anyhow, this is the reason why I am reporting this here.
https://git.drupalcode.org/project/lagoon_logs/-/blob/8.x-1.1/lagoon_log...
Steps to reproduce
Ideas:
* Introduce a dedicated permissions
* Move this information to the admin/reports/status page
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Issue fork lagoon_logs-3240629
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 3240629_CHANGEPERMS changes, plain diff MR !6
- 8.x-1.x changes, plain diff MR !5
- 3240629-change-access-to changes, plain diff MR !4
Comments
Comment #2
Kristen PolI agree with this. I was surprised by this permission being used and was going to create an issue if there wasn't already one. But here it is :)
Easy fix could be to at least change this to
Administer site configuration
for now.Comment #3
bomoko CreditAttribution: bomoko at amazee.io commentedYeah, I think this was probably a copy-pasta issue in the early early dev of this module - we actually has a settings page that allowed some config settings, but it was scrapped, and this page and route is a kind of vestigial artifact.
Totally agree, though - I think just changing to
Administer Site Configuration
is the simplest.Comment #9
bomoko CreditAttribution: bomoko at amazee.io commentedThanks all - I'll consider this closed for the moment with the Perms update.
Comment #10
bomoko CreditAttribution: bomoko commentedComment #11
Kristen PolFast! Thanks :)