Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
cache_example module doesn't demonstrate basic security best practices on its routes.
We need to change that.
In the routes.yml
file, it currently says:
requirements:
_access: 'TRUE'
This allows anyone with access to the site to see the page, which opens up other possible security concerns.
Proposed resolution
- Change the routes.yml file to say something like this:
requirements: _permission: 'access content'
- Update the tool menu test to reflect that this route is not visible to anonymous users, and *is* visible once a user with 'access content' permissions has been logged in.
- Amend any tests which use these routes to log in a user who can access them.
Comment | File | Size | Author |
---|---|---|---|
#2 | cache_example-access_checking-2585573-2-8.patch | 405 bytes | sumthief |
|
Comments
Comment #2
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedComment #3
Mile23Comment #4
Mile23Comment #5
nicrodgersPatch looks great, well done!
Now all that remains is the final two items on the "Proposed resolution" list - updating the tests.
Comment #6
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented@nicrodgers, I think there are unnecessary to update test because 'access content' provided "enable" state for anonymous by default.
Comment #7
nicrodgers@Shlyapkin - that sounds sensible to me. If @Mile23 is happy, then we can remove those two items from the issue summary and RTBC it.
Comment #8
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented@Mile23, can you check tasks?
Comment #10
marvil07 CreditAttribution: marvil07 as a volunteer commentedThanks!