As exported relation type is PHP code, the import has security implications.
The 'administer relation types' permission currently used for the relation type import menu item, does not mark it as such.

solutions:
- add 'restrict access' = TRUE to 'administer relation types' permission
- create new permission and add 'restrict access' = TRUE
- do the access check as views module: user_access('administer relation types') && user_access('use PHP for settings')

read: #870938: Add new permission for controlling imports

CommentFileSizeAuthor
#12 1372854-12.patch1.01 KBmikran
#7 1372854-7.patch1.54 KBmikran

Comments

mikran’s picture

mikran commented
Component: Code » API
Status: Active » Postponed

I think it's best to wait for the ctools solution, likely a new permission, from the linked issue.

naught101’s picture

naught101 commented
Status: Postponed » Active

According to #1372850: Harden access check for flag import, there is a new "use ctools import" permission that flag is using. Any reason why we shouldn't do the same?

mikran’s picture

mikran commented

Yes, use ctools import permission is in the current patch in #870938: Add new permission for controlling imports but that has not been committed to ctools yet.

mikran’s picture

mikran commented
Issue summary: View changes
Issue tags: +7.x-1.0 blocker
mikran’s picture

mikran commented

Ctools issue is still not in so if we want a stable 1.0 relation we have to go alternate route. Flag module did use flag import so based on that I think we should add a use relation import permission.

mikran’s picture

mikran commented
Parent issue: » #1707058: Relation 7.x-1.0
mikran’s picture

mikran commented
Status: Active » Needs review
StatusFileSize
new 1372854-7.patch1.54 KB

Status: Needs review » Needs work

The last submitted patch, 7: 1372854-7.patch, failed testing.

Leeteq’s picture

Leeteq commented
Related issues: +#870938: Add new permission for controlling imports

That related cTools issue is now RTBC, perhaps it just needs some more heads up in order to be committed.

Status: Needs work » Needs review

mikran queued 7: 1372854-7.patch for re-testing.

mikran’s picture

mikran commented
Status: Needs review » Needs work

And that's in, so we will use it.

mikran’s picture

mikran commented
Status: Needs work » Fixed
StatusFileSize
new 1372854-12.patch1.01 KB

  • mikran committed 1b0365f on 7.x-1.x 
    Issue #1372854 by mikran: Harden access check for relation type import

  • mikran committed 5431cad on 7.x-1.x 
    Revert "Issue #1372854 by mikran: Harden access check for relation type...
mikran’s picture

mikran commented
Status: Fixed » Needs review

#2400705: Outdated version of dependencies are installed on the test-infrastructure this happens here too

Status: Needs review » Needs work

The last submitted patch, 12: 1372854-12.patch, failed testing.

Status: Needs work » Needs review

mikran queued 12: 1372854-12.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 12: 1372854-12.patch, failed testing.

Status: Needs work » Needs review

mikran queued 12: 1372854-12.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 12: 1372854-12.patch, failed testing.

Status: Needs work » Needs review

mikran queued 12: 1372854-12.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 12: 1372854-12.patch, failed testing.

Status: Needs work » Needs review

mikran queued 12: 1372854-12.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 12: 1372854-12.patch, failed testing.

mikran’s picture

mikran commented
Component: API » Relation UI

Actually it makes no sense to use a permission from ctools as ctools is not even needed to import relation types. So the patch from #7 is correct after all.

  • mikran committed a2b7fbb on 7.x-1.x 
    Issue #1372854 by mikran: Harden access check for relation type import
mikran’s picture

mikran commented
Status: Needs work » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.