Add trusted roles recommendation to 'access site reports'

It would be a good idea to resolve this before Drupal 8 is released, especially given #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls - the fact that D8 is logging URLs potentially including passwords or tokens in the logs is really not so different from something like https://drupal.org/node/912412, and bigger than basic access bypass issues (e.g. with node titles).

I agree this should probably just be marked a trusted permission... It's not ever going to be possible to keep all sensitive information out of the logs entirely (or desirable).

Please see attached patches.

Shouldn't it be TRUE, rather than FALSE?

Addressed #5

I've verified #6, 'restrict access' needs to be TRUE.

I've verified #6, too. I confirm that 'restrict access' needs to be TRUE.

I committed this to HEAD. It may not be a bad idea to add a code comment explain "why"?

This is https://drupal.org/PSA-2014-002 and was already marked for D7 backport, so here's the patch.

I've reviewed #11. It correctly adds the "Give to trusted roles only" warning to the View site reports permission in D7. It's also the exact same change that went into D8. #11 is RTBC.

11: drupal-access_report_perm-2012468-11.patch queued for re-testing.

11: drupal-access_report_perm-2012468-11.patch queued for re-testing.

Updated the patch for D7. Added 'warning' attribute.

rerolled #11.
I think, this test case is not relevent here.

I'm not sure what was going on with #19 and #21. #11 didn't need a reroll and is still RTBC for D7.

21: drupal-access_report_perm-2012468-21.patch queued for re-testing.

21: drupal-access_report_perm-2012468-21.patch queued for re-testing.

7.29 was a security release, but I went ahead and committed this now to get it into 7.30 (since it's harmless and related to the above-mentioned PSA).

Someone could create a separate followup issue for both D7 and D8 for the suggestion by Dries above (to add a code comment).