Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
js_example module doesn't demonstrate basic security best practices on its routes.
We need to change that.
In the routes.yml
file, it currently says:
requirements:
_access: 'TRUE'
This allows anyone with access to the site to see the page, which opens up other possible security concerns.
Proposed resolution
- Change the routes.yml file to say something like this:
requirements: _permission: 'access content'
- Update the tool menu test to reflect that this route is not visible to anonymous users, and *is* visible once a user with 'access content' permissions has been logged in.
- Amend any tests which use these routes to log in a user who can access them.
Comment | File | Size | Author |
---|---|---|---|
#14 | js_example_access_checking-2585593-8-14.patch | 2 KB | Andrew.Mikhailov |
| |||
#12 | js_example_access_checking-2585593-8-12.patch | 2 KB | Andrew.Mikhailov |
| |||
#10 | js_example-access_checking-2585593-10-2.patch | 2.19 KB | sumthief |
| |||
#2 | js_example-access_checking-2585593-2-8.patch | 1.04 KB | sumthief |
|
Comments
Comment #2
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedComment #3
Mile23Comment #4
Mile23Comment #7
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedNeed manually review.
Comment #9
Mile23If you click on the newest failing testbot run, you'll see that the patch causes failing tests.
So we have to figure out why the tests are failing, and then try another patch.
In this case, the results look like this:
Comment #10
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedUpdate tests for patch #2.
Comment #12
Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commentedCorrected patch.
Comment #14
Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commentedSorry) I've create patch via phpStorm)
Now all should be fine.
Comment #15
Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commentedEverything is ok) Please check and apply my patch)
Best regards!
Comment #16
Andrew.Mikhailov CreditAttribution: Andrew.Mikhailov at DrupalJedi commentedCould you check this task?
Is everything correct for you or do we need to do some improvements?
Best regards.
Comment #18
marvil07 CreditAttribution: marvil07 as a volunteer commentedThanks!