Problem/Motivation

Currently, all the admin routes for amazon_pa require only the 'access administration pages' permission. This is generally a very "low risk" admin perm, that you frequently have to give out to any role that needs to do anything admin-esque. However, since this module's settings forms only require that, you can do a lot of fairly disruptive/malicious things to a site running amazon_pa:

  1. Blow through the daily API quota and DoS this feature on the site.
  2. Silently reconfigure the site to send the referral $$ to your API key instead of the site owner's
  3. ...

The previous amazon module (that this was based on) had a dedicated permission for this ("administer amazon"), so that you could really lock down the settings forms to sufficiently high-powered admin roles, not just anyone that needs to do anything admin-y.

Note: I was tempted to open this bug report on security.drupal.org, but I spoke to @greggles privately and the security team agreed this can be a public issue and doesn't require the formal security announcement workflow...

Steps to reproduce

  1. Create a low-tier role for trivial admin tasks.
  2. Give it 'access administration pages' permissions.
  3. Login as a user with this role.
  4. Visit /admin/config/services/amazon
  5. Enjoy viewing the Amazon PA API access keys, change things you probably shouldn't be able to change, etc.

Proposed resolution

Add a dedicated permission for this.

Remaining tasks

  1. Do it.
  2. Decide if there should be an upgrade path or just document the change in the release notes.
  3. Reviews/refinements.
  4. RTBC.
  5. Commit.

User interface changes

Not really. Just a new permission specifically for this module.

API changes

Nope.

Data model changes

N/A

CommentFileSizeAuthor
#2 3219462-2.patch1.52 KBdww

Comments

dww created an issue. See original summary.

dww’s picture

dww
we/he/they
commented
Version: 8.x-1.x-dev » 2.0.x-dev
Status: Active » Needs review
StatusFileSize
new 3219462-2.patch1.52 KB

This applies cleanly to 8.x-1.x and 2.0.x branches.

marcoka’s picture

marcoka commented

Looks good. Thanks.
I will add this when my git push over mistage is resolved i guess :)

marcoka’s picture

marcoka commented

Very good point as someone can change the affiliate id and that would be a disaster. Also the api keys. never thought about that because i never give admin to anyone :). Thank you.

I decided to add "restrict access: true" because of that.

Works here, i commited it to the dev.
As this is a dev, i added info to the changelog.

  • marcoka committed bda386b on 2.0.x 
    Issue #3219462 by dww: Use a more specific permission to restrict access...
marcoka’s picture

marcoka commented
Status: Needs review » Fixed

  • dww committed 6763587 on 2.0.x 
    Issue #3219462 by dww: Follow-up: permission machine names should be...
dww’s picture

dww
we/he/they
commented

Thanks! I pushed a minor follow-up fix to keep the permission machine name all lowercase, which seems to be the convention, even in the case of proper nouns like "Amazon PA" or "Twitter", etc.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.