Problem/Motivation
Split from #2338559: Never serialize password fields by default
EntityNormalizer inherits ComplexDataNormalizer::normalize, which means it does not check field access when normalizing data. This could cause leakage of data such as e-mail or administrative fields. We test field access in other field access tests so serialization should abide by the same rules.
Proposed resolution
Check access when normalizing fields.
Write or modify serialization test to assert field does not appear in normalized or serialized data.
Remaining tasks
Reviews please
User interface changes
None
API changes
Field access will now be checked at the entity normalizer level
Comment | File | Size | Author |
---|---|---|---|
#16 | interdiff-2365319-16.txt | 6.24 KB | damiankloip |
#16 | 2365319-16.patch | 20.72 KB | damiankloip |
Comments
Comment #1
larowlanComment #4
BerdirAs mentioned in the other issue, if you add read checks, we should check write too?
And as also mentioned, it makes the serializer aware of the current user, and possibly needs a way to override that?
Should we remove the checks from rest.module then?
Comment #5
damiankloip CreditAttribution: damiankloip commentedWouldn't/Shouldn't the rest module take care of write access if it is saving a resource? I don't know if a Normalizer should care about that too?
Comment #6
BerdirWell, assuming that it checks view access then it should care about edit access too?
That said, as mentioned in the other issue, I'm -1 on doing this inside the serializer in the first place. But it should be at least consistent?
Comment #7
damiankloip CreditAttribution: damiankloip commentedYes, good point. Consistency is a good thing, but denormalization is only creating an instance of a class. Nothing else. So edit access doesn't matter at that stage? view is slightly different IMO as we need that to actually access the original data. Denormalization we are just using data we have.
EDIT: Yes, I ideally wanted to keep this out of the serializer but that didn't seem to get a good reception :)
Comment #8
damiankloip CreditAttribution: damiankloip commentedIf we go down this route, berdir is right, we have to be able to pass in an account for access. To do that we have no other choice really other than using the serializer $context parameter.
Comment #10
martin107 CreditAttribution: martin107 commentedDo I have this correct?
EntityTest testComment() has an integrity check comparing the following two objects
I think this exposes the problem that
\Drupal\comment\Entity\Comment::baseFieldDefinitions() contains the appropriate entry for hostname
and yet comment.views.schema.yml does not!!!
If so Yeay for integrity checks. I am still looking into this but I thought is was worth a mention. I only have a limited amount of time to work on this for the next few days :(
Comment #11
BerdirThis has nothing to do with comment.views.schema.yml, it has to do with permissions. One way to fix that test would be to log in as user 1 and then do the serialization. But that's exactly what I find scary about this issue.
Comment #12
damiankloip CreditAttribution: damiankloip commentedThis should just leave the rest tests.
Comment #14
damiankloip CreditAttribution: damiankloip commentedHere is a unit test for the new
ContentEntityNormalizer
class too.Comment #16
damiankloip CreditAttribution: damiankloip commentedLet's try this.
Comment #17
damiankloip CreditAttribution: damiankloip commentedComment #18
dawehnerIt just is odd that you can't even opt out of access checking, even if you really want to have just the data.
Comment #19
damiankloip CreditAttribution: damiankloip commentedPeople really want this locked down, what can I say. If you want to show a password field or something, you can override the AccessHandler for Users (or whatever other entity) and allow it there?
Comment #20
dawehnerForwarddrop will solve that for us.
Comment #21
larowlanI don't see a reason why we can't also add an ignore_field_access flag to context. Default would be false.
Comment #22
dawehnerWell, that was not the point, but people argued it should be really hard to bypass it (so changing the service).
Comment #23
damiankloip CreditAttribution: damiankloip commentedWe can look at an additional flag or some sort, but I think that should be in a follow up, let's fix this first so we are actually checking access.
Created #2387679: Allow bypassing access checking (using serializer context) for that.
Comment #25
catchThis looks great. Agreed on keeping it locked down here, if we want to provide an easier way to open it up that's easier to add, as opposed to trying to remove a feature later on which would be much harder.
Committed/pushed to 8.0.x, thanks!