Closed (fixed)
Project:
Lagoon Logs
Version:
8.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
4 Oct 2021 at 13:51 UTC
Updated:
27 Oct 2021 at 04:24 UTC
Jump to comment: Most recent
Problem/Motivation
I think "Administer content" permission should not be used on a UI that is not related to content anyhow. If the Lagoon logs UI would also allow changing configuration, not just viewing them, this could be a security issue. Currently, it only exposes information that possibly cannot be leveraged anyhow, this is the reason why I am reporting this here.
https://git.drupalcode.org/project/lagoon_logs/-/blob/8.x-1.1/lagoon_log...
Steps to reproduce
Ideas:
* Introduce a dedicated permissions
* Move this information to the admin/reports/status page
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Issue fork lagoon_logs-3240629
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 3240629_CHANGEPERMS
changes, plain diff MR !6 - 8.x-1.x changes, plain diff MR !5
- 3240629-change-access-to changes, plain diff MR !4
Comments
Comment #2
kristen polI agree with this. I was surprised by this permission being used and was going to create an issue if there wasn't already one. But here it is :)
Easy fix could be to at least change this to
Administer site configurationfor now.Comment #3
bomoko commentedYeah, I think this was probably a copy-pasta issue in the early early dev of this module - we actually has a settings page that allowed some config settings, but it was scrapped, and this page and route is a kind of vestigial artifact.
Totally agree, though - I think just changing to
Administer Site Configurationis the simplest.Comment #9
bomoko commentedThanks all - I'll consider this closed for the moment with the Perms update.
Comment #10
bomoko commentedComment #11
kristen polFast! Thanks :)