Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Profile Add route uses the ProfileAccessCheck class to check permissions, but in the case of singular profiles this page also allows editing of profile entities. Which since the page only tests for the add permission appears to allow any user to edit any other user's profile regardless of whether they have the 'edit any' permission or not.
I'm going to override this locally to enforce until patched.
Comment | File | Size | Author |
---|---|---|---|
#7 | profile_add_page_allows-2884434-7.patch | 8.96 KB | mglaman |
#5 | profile_add_page_allows-2884434-5.patch | 4.57 KB | mglaman |
#3 | profile_add_page_allows-2884434-3.patch | 1.52 KB | mglaman |
Comments
Comment #2
mglamanProviding your patch is a good step to see how we can fix this. We'll also need a test for this.
Comment #3
mglamanFailing test.
Comment #5
mglamanFix + passing tests.
Comment #7
mglamanFixed kernel test. Looks like this even exposed a bug.
This should have failed as the user only had "create" permission and could create other user profiles. Now tests that this is false for access.
Comment #9
mglamanAccess fixed!