Problem/Motivation

email_example module doesn't demonstrate basic security best practices on its routes.

We need to change that.

In the routes.yml file, it currently says:

  requirements:
    _access: 'TRUE'

This allows anyone with access to the site to see the page, which opens up other possible security concerns.

Proposed resolution

  • Change the routes.yml file to say something like this:
      requirements:
    _permission: 'access content'
  • Update the tool menu test to reflect that this route is not visible to anonymous users, and *is* visible once a user with 'access content' permissions has been logged in.
  • Amend any tests which use these routes to log in a user who can access them.
CommentFileSizeAuthor
#2 email_example-access_checking-2585585-2-8.patch411 bytessumthief
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Mile23 created an issue. See original summary.

sumthief’s picture

sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commented
Status: Active » Needs review
FileSize
email_example-access_checking-2585585-2-8.patch411 bytes
Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 as a volunteer commented
Status: Needs review » Needs work
Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 as a volunteer commented
Status: Needs work » Needs review

marvil07’s picture

marvil07 CreditAttribution: marvil07 as a volunteer commented

Thanks!

marvil07’s picture

marvil07 CreditAttribution: marvil07 as a volunteer commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.