Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
email_example module doesn't demonstrate basic security best practices on its routes.
We need to change that.
In the routes.yml
file, it currently says:
requirements:
_access: 'TRUE'
This allows anyone with access to the site to see the page, which opens up other possible security concerns.
Proposed resolution
- Change the routes.yml file to say something like this:
requirements: _permission: 'access content'
- Update the tool menu test to reflect that this route is not visible to anonymous users, and *is* visible once a user with 'access content' permissions has been logged in.
- Amend any tests which use these routes to log in a user who can access them.
Comment | File | Size | Author |
---|---|---|---|
#2 | email_example-access_checking-2585585-2-8.patch | 411 bytes | sumthief |
|
Comments
Comment #2
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedComment #3
Mile23Comment #4
Mile23Comment #6
marvil07 CreditAttribution: marvil07 as a volunteer commentedThanks!
Comment #7
marvil07 CreditAttribution: marvil07 as a volunteer commented