Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
views.routing.yml uses permissions to perform access control on routes instead of _entity_access. This bypasses view entities' access controller and hook_entity_access() and variants, and is therefore a potential security flaw.
Proposed resolution
Convert all entity-based routes' access requirements to entity access.
Remaining tasks
None.
User interface changes
None.
API changes
None.
Comment | File | Size | Author |
---|---|---|---|
#1 | drupal_2200229_1.patch | 4.91 KB | Xano |
Comments
Comment #1
XanoComment #3
XanoThe test failure is caused by #2200333: content_translation_view_access() is invoked as a hook_ENTITY_TYPE_access() hook implementation.
Comment #4
Xano1: drupal_2200229_1.patch queued for re-testing.
Comment #5
XanoComment #6
Xano1: drupal_2200229_1.patch queued for re-testing.
Comment #7
dawehner+1
Comment #8
webchickHm. That seems very weird that we have both _entity_access and _entity_create_access, but this is a HEAD thing, not a this patch thing.
Committed and pushed to 8.x. Thanks!