Hm. Is it just me or is there sth. weird about the payment methods permissions? There seem to be permissions like "view any order" / "view own order" - but there are no permissions like "view any payment methods" / "view own payment methods". And when I'm logged in as any arbitray user and I enter a url like "/user//payment-methods" I can see any other user's payment methods and modules/payment/commerce_payment.routing.yml just says:

requirements: _user_is_logged_in

which I guess means, that it's only necessary to be logged in.

Comments

rgpublic created an issue. See original summary.

bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Title: Payment methods security issue? » Payment methods have incomplete access checking
Priority: Normal » Critical

Confirmed.

Plan:
1) Add an "administer commerce_payment_method" permission.
2) Add a "manage own commerce_payment_method" permission.
3) Add a custom access control handler for the two permissions
4) Add a custom access check for the mentioned routes, using the two permissions

  • bojanz committed 90a931a on 8.x-2.x 
    Issue #2822633 by bojanz: Payment methods have incomplete access...
bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Status: Active » Fixed

Fixed. Thanks for reporting!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.