Found a major security problem in Entity Blocks -- it performs no access control whatsoever. If the current user does not have permission to view the entity being displayed, they will see it anyway. I wrote a functional fail test in Lightning to confirm the problem, and it proves that patching Entity Block to call the access control handler fixes the issue.
Patch coming shortly.
Comment | File | Size | Author |
---|---|---|---|
#6 | interdiff-4-6.txt | 289 bytes | shadcn |
#6 | 2846004-6.patch | 728 bytes | shadcn |
#4 | 2846004-4.patch | 698 bytes | shadcn |
#2 | 2846004-2.patch | 1.84 KB | phenaproxima |
Comments
Comment #2
phenaproximaComment #3
balsamaWe're using this in Lightning and have a functional test that asserts anon users cannot see unpublished content embedded with this block.
Comment #4
shadcn CreditAttribution: shadcn at Chapter Three commentedWouldn't something like this work as well?
Comment #5
phenaproximaWish I'd known about that method before :) Yes, it would work...personally, I think it'd be better to cut off the block access entirely, so that not even its wrapping HTML is rendered (which could interfere with theming, depending on how the site builder and themer have done things).
Comment #6
shadcn CreditAttribution: shadcn at Chapter Three commentedHmm I could not reproduce the empty wrapping HTML issue with Bartik but as per
BlockPluginInterface::build
, an empty array should take care of it in case :)Comment #9
floretan CreditAttribution: floretan at Wunder commentedThanks, this looks good!