Users without 'Grant content access' permission can edit content access.

This issue describes an access bypass vulnerability

Not critical as this checks to related similar permissions that have the restrict access flag set.

administer content types:
  title: 'Administer content types'
  description: 'Maintain the types of content available and the fields that are associated with those types.'
  restrict access: true
administer nodes:
  title: 'Administer content'
  description: 'Promote, change ownership, edit revisions, and perform other tasks across all content types.'
  restrict access: true

    $permission_match = $account->hasPermission('administer nodes') && $account->hasPermission('administer content types');
    return AccessResult::allowedIf($permission_match && $node_type);

Thus also a non-noticeable security issue too (if it was a full release).

It seems that this service (access_check.content_access_admin_settings_access) only applies to the single admin page?

So maybe something like:

    $permission_match = $account->hasPermission('grant content access') && $account->hasPermission('administer content types');

Albeit "grant content access" permission is more related to granting access on individual nodes. The permission "administer nodes" really doesn't make sense though?

Can you more fully describe the permissions given to your two admin roles? I can't reproduce this with any combination of permissions.

I cannot reproduce this error. It seems to act as I'd expect.

1. New 8.8.x install
2. Install content_access
3. Create role "Normal Admin", with the ability to create new 'page' content, and with the following permissions within Access control:

   View any page content
   View own page content
   Edit own page contnet
   Delete any page content
   Delete own page content

I tested to see whether that role is able to alter content access for the content type or a node of that type, adding related permissions (one at a time).

If this is one of only two issues keeping content_access from being covered by SA policy, it'd be great to get confirmation whether this issue still exists.

Testing.

Restoring

According to the original issue summary, the problem arise when there are two admin roles: a super admin (presumably user #1) and a "normal" administrator. It was unclear what is meant by a "normal" administrator. It is asked by presleyd in comment #4, but not replied to.

However. I've fond that if the "normal" administrator has the permission to "Administer content" (machine name administer nodes), then he/she can edit content access for a content type without having the 'Grant content access' permission.

I think is by (bad) design. It seems that the original author of this module thought of administer nodes as a permission to bypass access control, and that this is actually a duplicate of #3144670: Check "Bypass content access control" to determine global access.

Fixed in #3144670: Check "Bypass content access control" to determine global access.

Are there other issues keeping this module from being covered by the security policy? If so, I can help testing.

Are there other issues keeping this module from being covered by the security policy? If so, I can help testing.

I keep track of those that need to be resolved before we can make a stable release 8.x-1.0 with security coverage here: #3143952: [meta] Content Access release 2.0.0.

If you want to see a release with security coverage, those are the ones to focus on.