Found a major security problem in Entity Blocks -- it performs no access control whatsoever. If the current user does not have permission to view the entity being displayed, they will see it anyway. I wrote a functional fail test in Lightning to confirm the problem, and it proves that patching Entity Block to call the access control handler fixes the issue.

Patch coming shortly.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

phenaproxima created an issue. See original summary.

phenaproxima’s picture

Status: Active » Needs review
FileSize
1.84 KB
balsama’s picture

Status: Needs review » Reviewed & tested by the community

We're using this in Lightning and have a functional test that asserts anon users cannot see unpublished content embedded with this block.

shadcn’s picture

FileSize
698 bytes

Wouldn't something like this work as well?

phenaproxima’s picture

Wish I'd known about that method before :) Yes, it would work...personally, I think it'd be better to cut off the block access entirely, so that not even its wrapping HTML is rendered (which could interfere with theming, depending on how the site builder and themer have done things).

shadcn’s picture

Status: Reviewed & tested by the community » Needs review
FileSize
728 bytes
289 bytes

Hmm I could not reproduce the empty wrapping HTML issue with Bartik but as per BlockPluginInterface::build, an empty array should take care of it in case :)

  • floretan committed e51c756 on 8.x-1.x authored by arshadcn
    Issue #2846004 by arshadcn, phenaproxima: Entity Block does not perform...

floretan credited floretan.

floretan’s picture

Status: Needs review » Fixed

Thanks, this looks good!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.