Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
tour_example module doesn't demonstrate basic security best practices on its routes.
We need to change that.
In the routes.yml
file, it currently says:
requirements:
_access: 'TRUE'
This allows anyone with access to the site to see the page, which opens up other possible security concerns.
Proposed resolution
- Change the routes.yml file to say something like this:
requirements: _permission: 'access content'
- Update the tool menu test to reflect that this route is not visible to anonymous users, and *is* visible once a user with 'access content' permissions has been logged in.
- Amend any tests which use these routes to log in a user who can access them.
Comment | File | Size | Author |
---|---|---|---|
#2 | block_example-access_checking-2585607-2-8.patch | 451 bytes | sumthief |
|
Comments
Comment #2
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedComment #3
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedComment #4
Mile23Comment #5
Mile23Comment #7
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedComment #8
Mile23The patch applies, the testbot is happy (after some initial hiccups) and so let's commit it!
Thanks, @Shlyapkin!