Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I noticed that confirmation form doesn't include token. If you have some conditions in your rules for hide the link in some cirncustances, the link won't be show, but a user can replicate the link structure, change parameters, etc. And he will access to confirmation form (an also to rule execution).
Comments
Comment #1
sepgil CreditAttribution: sepgil commentedI'm not sure if get the problem...
The idea of the token is to prevent imidiate access to the rules execution. The token prevents that by showing a confirmation firm.
It would be greate if you could explain your argument in more detail and give an example on how to exploit the confirmation form.
Comment #2
dariogcode CreditAttribution: dariogcode commentedHi,
I'm using with views, and the confimation link doesn't have a token. I just tried and this is the link I got:
Normal:
change-status/22/no_esta_interesado/sUONdjvcF9l1c976YL0rxEh1qcYovr3T_kMs0OA3cPw?destination=user/18/siac/all/22
Confirmation:
change-status/22/no_esta_interesado?destination=user/18/siac/all/22
The first one is only accesible by the current user, the second link is accesible by any other authenticated user.
I hope this is clear now.
Comment #3
Paul B CreditAttribution: Paul B commentedComment #4
nitrocad CreditAttribution: nitrocad commentedYou can protect the link, and the url by adding the following condition:
This is a critical bug, i don't know why can be this unsolved since 5 years....