Problem/Motivation

You can access forms through links, even if you don't have connected Instapage account.
Although you can't add or change any Instapage page, this is still a problem, because for example if you know the ID of some added page, you can visit the edit form of that page and access its Path variable.

Steps to reproduce

- Don't connect Instapage account in /admin/config/services/instapage
- Visit /admin/structure/instapage/new
- Visit /admin/structure/instapage/edit/ANY_NUMBER
- Visit /admin/structure/instapage/delete/ANY_NUMBER

Proposed resolution

Restrict access for forms if Instapage account isn't connected.
Also for Edit and Delete forms check if page even exists.
Add automated tests.

Issue fork instapage-3187618

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

timotej-pl created an issue. See original summary.

timotej-pl opened merge request !4

timotej-pl closed merge request !4

timotej-pl opened merge request !6

timotej-pl’s picture

timotej-pl commented
Status: Active » Needs review
nmatja’s picture

nmatja commented

I managed to reproduce the problem one the 'instapage/edit' and 'instapage/remove' pages. On the 'instapage/new' the website crashed with an unexpected error.

After applying the fork patch I got the access denied warning on all listed pages. So the patch is working correctly.

bcizej made their first commit to this issue’s fork.

  • bcizej committed 3d3cb81 on 8.x-2.x authored by timotej-pl 
    Issue #3187618 by timotej-pl, nmatja: Restrict forms access
bcizej’s picture

bcizej commented
Status: Needs review » Fixed

Thanks to both, commited.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.