Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This issue has been approved for public handling by the Drupal Security Team.
When attaching displays (e.g. Feed), it is possible for the attached display to have access control that is more restrictive than the page display it's attached to. Views does not currently check the access of an attached display before trying to attach it, so you can end up with a feed icon rendering that you'll get an access denial when trying to follow.
Steps to reproduce
- Create a View with a page display with access set to role = authenticated, and a feed display with access set to role = administrator and attach it to the page display.
- Visit the page as an authenticated user and notice the feed icon.
- Click the feed icon and receive see the access denied page.
Comment | File | Size | Author |
---|---|---|---|
#12 | views.view_.foo_.yml | 5.21 KB | jungle |
#9 | drupal-views-attached-display-access-3047216-9-test-only.patch | 3.71 KB | mxr576 |
#9 | interdiff_8_9.txt | 3.56 KB | mxr576 |
#9 | drupal-views-attached-display-access-3047216-9.patch | 4.58 KB | mxr576 |
#8 | interdiff_2_8.txt | 550 bytes | mxr576 |
Comments
Comment #2
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedComment #5
mxr576Fixed failing test, added extra test coverage and added access check to one additional place.
Comment #8
mxr576Okay, let's just fix the failing test...
Comment #9
mxr576... and expected test coverage only for the fixed code part.
Comment #11
mxr576Comment #12
jungle@mxr576, thank you!
I've just tested the patch with a view of node with a
Page
display and aFeed
display./foo
Role | Anonymous user
/bar
Page
Role | Administrator
Before:
Visited
/foo
asAnonymous user
, I did SEE thefeed icon
, clicked thefeed icon
, lead me to/bar
, andaccess denied
gotAfter:
Applied the patch in #9, rebuilt the cache. visited
/foo
asAnonymous user
, I DID NOT see thefeed icon
, visited/bar
, andaccess denied
gotAttached is the view exported for testing (
uuid key
removed manually, original file name:views.view.foo.yml
)The patch looks good to me, but I would promote mocking with Prophecy in PHPUnit https://www.drupal.org/docs/8/phpunit/using-prophecy
In all, RTBC+1
Comment #13
LendudeThis looks really good already. Confirmed the bug, applied the patch and confirmed that this fixes the bug.
Since we are dealing with a borderline information disclosure issue here, I think it might be good to add functional test coverage for this as well, but lets see how the committers feel about adding additional coverage, or if they feel the unit tests are enough.
Comment #14
mxr576Thanks for the quick reviews!
Unless there is an existing functional test in core that could be easily altered to add this extra test coverage I would go with only the unit test. If a unit test was/is enough checking the "enabled" state of a display (is there a functional test for that?) which could also modify the result, a unit test should be also enough to verify the access.
Comment #16
xjmThe latest patch failed tests with:
Also, as a minor access bypass, we probably should have filed it in the private tracker to start. Sometimes the sec team will approve public issues for low-risk access bypasses and information disclosures. I'll ask about this one.
Comment #17
xjmComment #18
xjmComment #19
mxr576Comment #20
mxr576@xjm, thanks for the review and the confirmation from the security team. (I also rolled my head around when I saw a possible security issue is in the public queue.) Are you sure the patch failed? I cannot reproduce this in my local, the "test-only.patch" failes of course.
Started new tests on the CI for #9 https://www.drupal.org/pift-ci-job/1675012 https://www.drupal.org/pift-ci-job/1675013
Comment #21
jungleI was guessing @xjm tested the wrong/TEST-ONLY patch too. Let's set back to RTBC.
Comment #22
xjmI was indeed looking at the test-only patch; was distracted by the fact that we had an access bypass issue in the public queue without Security Team approval and was focused on getting that. ;) Sorry!
Comment #23
alexpottA couple of thoughts:
Comment #25
joelpittet@alexpott, those are great deductions, I'll give you my 2¢ and try and push this issue forward.
Feed::attachTo()
should probably not get this access check, it's an RSS feed, it's whole goal is to publicize (I don't think it would hurt but also not necessary, IMO), AND I'd not remove it fromAttachment::attachTo()
because that is our public API and who knows who's using that directly in contrib.Attachment::attachTo()
access() check is beforeapplyDisplayCacheabilityMetadata()
already, so already looks to be short-cutting output in attachments.I apologize if I misread/misinterpreted your point in #23
Hope all is well!👋
Comment #26
catchSo... all of views' access API returns boolean instead of AccessResult. Until they return AccessResult, we can't add cacheability metadata. This would need to go up through ViewExecutable::access() and whatever calls it too.
Permission access (and to an extent role access) will be handled by the global permissions cache context which is applied to everything, but anything more esoteric must currently be buggy afaict.
Opened #3188952: Views access system should use AccessResult.
Comment #27
alexpottCommitted and pushed 8fafcd342e to 9.2.x and c2bfd00955 to 9.1.x. Thanks!
@catch thanks for filing the follow-up for the bigger issue. I think that this issue represents a step in the correct direction so committing and we can improve on this in future issues.