When running the security review (www.drupal.org/project/security_review) a few webform views do not pass the test. It seems the master views do not provide any access checks.

These are

  • admin/structure/views/view/webform_analysis/edit/default
  • admin/structure/views/view/webform_results/edit/default
  • admin/structure/views/view/webform_submissions/edit/default
  • admin/structure/views/view/webform_webforms/edit/default

Comments

DanChadwick’s picture

DanChadwick CreditAttribution: DanChadwick commented
Title: Does not pass security review test » Does not pass review test
Category: Bug report » Support request
Status: Active » Closed (fixed)

First, if you actually think webform has a security issue, open a security issue. Do NOT open an issue in the regular issue queue.

Second, access is provided by the menu system, not the views, so there is no issue with them to my knowledge. Just because a code review module sees code that matches a pattern doesn't make it an issue.

malcomio’s picture

malcomio CreditAttribution: malcomio at Capgemini commented
Related issues: +#2499029: Add Default Views access control

Seems to be a duplicate of #2499029: Add Default Views access control