Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you are using a module like tac_lite, and have a linkit link from an anonymously available page contents to other content which requires additional login to access, then the linkit canonical path is kept as node/9999 instead of using translating to the url alias.
Comment | File | Size | Author |
---|---|---|---|
#2 | 2871327-2.linkit.Links-to-secured-pages-do-not-get-the-url-alias.patch | 727 bytes | singularo |
Comments
Comment #2
singularoAttaching patch that uses the path alias manager to retrieve the alias so that the destrination link is always the path alias url.
Comment #3
anonI see the problem here, but I'm not sure if we should handle this.
If a user don't have access to the target page, and we transform the href to an alias, we would expose data that should be protected.
Wouldn't this introduce a security issue?
Comment #4
pingers CreditAttribution: pingers as a volunteer and at University of Adelaide commentedThis is no worse than how linkit already works.
E.g.
Result: The alias to an unpublished (403) page is disclosed to anonymous users.
Treating urls as "private information" is a bit weird. However, I can see a use case where you have an unpublished page, E.g. /iphone-8-available-2017-05-01, you wouldn't want that to return 403.
Comment #5
mark_fullmerThis branch of the Linkit module is no longer under active development, and this issue hasn't seen any comments in 6 years.
In order to help the community and the module maintainers focus work on the issues for this module that are most important to the Drupal community, I'm going to close this issue.
If the community feels this is in error, we can re-open it.