Add 'access content' permission to routes in cron_example [#2585581]

Problem/Motivation

cron_example module doesn't demonstrate basic security best practices on its routes.

We need to change that.

In the routes.yml file, it currently says:

  requirements:
    _access: 'TRUE'

This allows anyone with access to the site to see the page, which opens up other possible security concerns.

Proposed resolution

Change the routes.yml file to say something like this:
```
  requirements:
    _permission: 'access content'
```
Update the tool menu test to reflect that this route is not visible to anonymous users, and *is* visible once a user with 'access content' permissions has been logged in.
Amend any tests which use these routes to log in a user who can access them.

Comment	File	Size	Author
#22	cron_example-access_checking-2585581-8-22.patch	1.3 KB	Andrew.Mikhailov
#22	8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass
#20	cron_example-access_checking-2585581-8-20.patch	1.46 KB	Andrew.Mikhailov
#20	8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail
#18	cron_example-access_checking-2585581-8-17.patch	1.46 KB	Andrew.Mikhailov
#18	8.x-1.x: PHP 5.5 & MySQL 5.5 1 fail
#18	interdiff.txt	1.46 KB	Andrew.Mikhailov
#16	cron_example-access_checking-2585581-16-8.patch	1.31 KB	sumthief
#16	8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass
#11	cron_example-access_checking-2585581-11-8.patch	1.25 KB	sumthief
#11	8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail
#9	cron_example-access_checking-2585581-9-8.patch	1.3 KB	sumthief
#9	8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass
#2	cron_example-access_checking-2585581-2-8.patch	396 bytes	sumthief
#2	8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

9 October 2015 at 22:16

Mile23 created an issue. See original summary.

Comment #2

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 10 October 2015 at 10:41

Status:

Active

» Needs review

File	Size
cron_example-access_checking-2585581-2-8.patch	396 bytes
8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail

Comment #3

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 11 October 2015 at 22:50

Status:

Needs review

» Needs work

Comment #4

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 11 October 2015 at 22:50

Status:

Needs work

» Needs review

Comment #5

11 October 2015 at 22:55

Status:

Needs review

» Needs work

The last submitted patch, 2: cron_example-access_checking-2585581-2-8.patch, failed testing.

Comment #6

12 October 2015 at 04:13

The last submitted patch, 2: cron_example-access_checking-2585581-2-8.patch, failed testing.

Comment #7

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 13 October 2015 at 09:10

Status:

Needs work

» Needs review

Need manually review.

Comment #8

13 October 2015 at 09:14

Status:

Needs review

» Needs work

The last submitted patch, 2: cron_example-access_checking-2585581-2-8.patch, failed testing.

File	Size
cron_example-access_checking-2585581-9-8.patch	1.3 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass

Comment #10

marvil07 CreditAttribution: marvil07 as a volunteer commented 22 October 2015 at 20:25

Status:

Needs review

» Postponed (maintainer needs more info)

How was the 2nd and 3rd hunk related t the issue here? (i.e. use minimal profile and give admin permission to the test user)

Comment #11

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 23 October 2015 at 03:08

File	Size
cron_example-access_checking-2585581-11-8.patch	1.25 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail

Thanks for your response. The test failed cause it can't find 'Run cron now' button: because it'll shown only for user with 'administer site configuration' permission. So including profile is one of ways to provide this permission for user creating process. But it's incorrect. So there is new patch.

Comment #12

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 23 October 2015 at 03:09

Status:

Postponed (maintainer needs more info)

» Needs review

Comment #13

23 October 2015 at 03:17

The last submitted patch, 2: cron_example-access_checking-2585581-2-8.patch, failed testing.

Comment #14

23 October 2015 at 03:18

Status:

Needs review

» Needs work

The last submitted patch, 11: cron_example-access_checking-2585581-11-8.patch, failed testing.

Comment #15

23 October 2015 at 04:07

The last submitted patch, 11: cron_example-access_checking-2585581-11-8.patch, failed testing.

Comment #16

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 23 October 2015 at 05:29

File	Size
cron_example-access_checking-2585581-16-8.patch	1.31 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass

3 files were hidden/shown/deleted

File	Size
cron_example-access_checking-2585581-2-8.patch	396 bytes
8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail
cron_example-access_checking-2585581-9-8.patch	1.3 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass
cron_example-access_checking-2585581-11-8.patch	1.25 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail

Update patch.

Comment #17

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 23 October 2015 at 05:29

Status:

Needs work

» Needs review

Comment #18

Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commented 23 October 2015 at 06:05

File	Size
interdiff.txt	1.46 KB
cron_example-access_checking-2585581-8-17.patch	1.46 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 1 fail

Hello!
Grigory's patch correct but not quite, you need to define user's permissions in setUp method.
Please check interdiff and apply this patch from Grigory.
Thank you.
Best regards.

Comment #19

23 October 2015 at 06:07

Status:

Needs review

» Needs work

The last submitted patch, 18: cron_example-access_checking-2585581-8-17.patch, failed testing.

Comment #20

Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commented 23 October 2015 at 06:24

Status:

Needs work

» Needs review

File	Size
cron_example-access_checking-2585581-8-20.patch	1.46 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 89 pass, 1 fail

Sorry, old my problem)
I've created patch via phpStorm)
I removed unnecessary module 'system' from test)
Best regards.

Comment #21

23 October 2015 at 06:32

Status:

Needs review

» Needs work

The last submitted patch, 20: cron_example-access_checking-2585581-8-20.patch, failed testing.

Comment #22

Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commented 23 October 2015 at 07:05

Status:

Needs work

» Needs review

File	Size
cron_example-access_checking-2585581-8-22.patch	1.3 KB
8.x-1.x: PHP 5.5 & MySQL 5.5 90 pass

I removed unnecessary module 'system' from test)

Seems it was wrong...
One more time, don't forget apply this patch from Grigoriy.
Best regards.

Comment #23

24 October 2015 at 22:07

Mile23 committed 241619b on 8.x-1.x authored by Andrew.Mikhailov

Issue #2585581 by Shlyapkin Grigoriy, Andrew.Mikhailov: Add 'access...

Comment #24

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 24 October 2015 at 22:08

Status:

Needs review

» Fixed

+++ b/cron_example/src/Tests/CronExampleTestCase.php
@@ -37,7 +37,7 @@ class CronExampleTestCase extends WebTestBase {
+  public static $modules = ['cron_example', 'system', 'node'];

We don't need system, but we do need node since it provides 'access content.'

Fixed on commit.

Thanks!

Comment #25

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented 26 October 2015 at 10:21

Status:

Fixed

» Needs work

@Mile23, why we don't need 'system'? It provides permision 'administer site configuration'.
According to patch from #20: It has no 'system' in module list, but tests failed because there are no button 'Run cron now'. I think it caused by missing permission (in form builder there is the condition that checks the permission and doesn't create form element if user has no permission). But patch from #22 (or 18) absolutely identical to patch from #20 excluding existing 'system' in module list. And patches from #22 and #18 passed tests succesfully. So I think we should include system in module list.

Comment #26

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 26 October 2015 at 19:43

Status:

Needs work

» Fixed

The patch in #20 says

+++ b/cron_example/cron_example.routing.yml	(revision )
@@ -4,4 +4,4 @@
   requirements:
-    _access: 'TRUE'
+    _access: 'access content'

...which should be '_permission'.

The 'administer site configuration' permission doesn't come from the system module.

Comment #27

9 November 2015 at 19:44

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Add 'access content' permission to routes in cron_example

Problem/Motivation

Proposed resolution

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Comment #21

Comment #22

Comment #23

Comment #24

Comment #25

Comment #26

Comment #27

Parent issue

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community