Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hello,
I randomly found that anonymous users can access the feed list page /admin/content/feed because the view does not provide access check.
I think to also change the permission for the page in routing.yml to use the access feed overview page.
I will upload a patch.
Comment | File | Size | Author |
---|---|---|---|
#2 | feeds-anonymous_access-2836998-2.patch | 1.3 KB | Grimreaper |
|
Comments
Comment #2
GrimreaperHere is the patch.
After checking how works admin/content, I have only modified the view config.
Does this need a hook_update?
Comment #3
daboo CreditAttribution: daboo commentedThis is controllable via permissions under Feeds -> Access the Feed overview page". I merely changed it to Administrator to keep others from accessing.
Comment #4
GrimreaperHello @daboo,
The problem is that this permission is not used by the view provided by default.
And as the view responds on the same URL a default route in feeds.routing.yml has, even if the route requires this permission, anonymous users can access the listing.
Comment #5
daboo CreditAttribution: daboo commentedThanks for the update @Grimreaper. I wasn't aware of that.
Comment #7
MegaChriz CreditAttribution: MegaChriz as a volunteer commentedGreat catch! Seems pretty critical too. I can confirm that the patch fixes the issue if I re-import the configuration file.
I think there is no need for a hook_update now, as there is no official release of Feeds 8.x-3.x yet, only a dev release.
Comment #8
GrimreaperOK.
Thanks for the commit.