Voting starts in March for the Drupal Association Board election.
Suggested commit message (based on bug bounty input)
Issue #2512460 by pwolanin, Gábor Hojtsy, grisendo, JvE: "Translate user edited configuration" permission needs to be marked as restricted
The "Translate user edited configuration" permission actually allows one to translate shipped configuration strings, which is an overlap with interface text translation. This may result in string reuse between configuration and interface which leads to these configuration translations possibly returned by t(), e.g. with translating default content type labels. The return value of t() is considered safe, so the permission to translate configuration needs to be marked restricted.
reported multiply in the Drupal 8 security bug bounty program
The config translation permission should be clarified (the incorrect description fixed) and the interface translation one should be updated to match actual behavior. The config translation permission needs to be a restricted permission.
User interface changes
Permission names are better, descriptions are accurate. Config translation permission is restricted.
Data model changes
|#7||2512460-6.patch||1.1 KB||Gábor Hojtsy|
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 97,318 pass(es). View
|#7||interdiff.txt||1.1 KB||Gábor Hojtsy|
|#7||InterfaceTranslatioVSConfig.png||159.93 KB||Gábor Hojtsy|
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 97,322 pass(es). View