Profile Add Page allows editing without further permissions [#2884434]

The Profile Add route uses the ProfileAccessCheck class to check permissions, but in the case of singular profiles this page also allows editing of profile entities. Which since the page only tests for the add permission appears to allow any user to edit any other user's profile regardless of whether they have the 'edit any' permission or not.

I'm going to override this locally to enforce until patched.

Comment	File	Size	Author
#7	profile_add_page_allows-2884434-7.patch	8.96 KB	mglaman
#5	profile_add_page_allows-2884434-5.patch	4.57 KB	mglaman
#3	profile_add_page_allows-2884434-3.patch	1.52 KB	mglaman

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

7 June 2017 at 16:12

ramriot created an issue. See original summary.

Comment #2

mglaman

English

WI, USA

CreditAttribution: mglaman at Centarro commented 11 June 2017 at 23:06

Issue tags:

-access permissions

+Needs tests

I'm going to override this locally to enforce until patched.

Providing your patch is a good step to see how we can fix this. We'll also need a test for this.

Comment #3

mglaman

English

WI, USA

CreditAttribution: mglaman at Centarro commented 12 June 2017 at 16:33

Status:

Active

» Needs review

File	Size
profile_add_page_allows-2884434-3.patch	1.52 KB

Failing test.

Comment #4

12 June 2017 at 16:35

Status:

Needs review

» Needs work

The last submitted patch, 3: profile_add_page_allows-2884434-3.patch, failed testing. View results

Comment #5

mglaman

English

WI, USA

CreditAttribution: mglaman at Centarro commented 12 June 2017 at 16:44

Version:	8.x-1.0-alpha7	» 8.x-1.x-dev
Status:	Needs work	» Needs review

File	Size
profile_add_page_allows-2884434-5.patch	4.57 KB

Fix + passing tests.

Comment #6

12 June 2017 at 16:46

Status:

Needs review

» Needs work

The last submitted patch, 5: profile_add_page_allows-2884434-5.patch, failed testing. View results

Comment #7

mglaman

English

WI, USA

CreditAttribution: mglaman at Centarro commented 12 June 2017 at 17:04

Status:

Needs work

» Needs review

File	Size
profile_add_page_allows-2884434-7.patch	8.96 KB

Fixed kernel test. Looks like this even exposed a bug.

This should have failed as the user only had "create" permission and could create other user profiles. Now tests that this is false for access.

    $this->assertTrue($this->accessManager->checkNamedRoute(
      'entity.profile.type.user_profile_form.add',
      ['user' => $web_user2->id(), 'profile_type' => $this->type->id()],
      $web_user3
    ));

Comment #8

12 June 2017 at 17:11

mglaman committed 822cb46 on 8.x-1.x

Issue #2884434 by mglaman: Profile Add Page allows editing without...

Comment #9

mglaman

English

WI, USA

CreditAttribution: mglaman at Centarro commented 12 June 2017 at 17:12

Status:

Needs review

» Fixed

Access fixed!

Comment #10

26 June 2017 at 17:14

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Profile Add Page allows editing without further permissions

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community