Check user access to the view in access handler [#2932176]

A possible scenario is that a user could lose permissions to access a view but still have the tempstore object set, and could use the AJAX endpoint to add entities to process and then execute VBO.

That would be a very limited hacking possibility, since actions also have access checks and there would be no option to modify anything else except the list of entities but still.

Also maybe set a maximum lifetime of the tempstore object?

Comments

Comment #1

20 December 2017 at 20:14

Graber created an issue. See original summary.

Comment #2

21 December 2017 at 10:23

Graber committed 2c91dd9 on 8.x-2.x

Issue #2932176: Check user access to the view in access handler

Comment #3

Graber CreditAttribution: Graber as a volunteer commented 21 December 2017 at 10:24

Status:

Needs work

» Fixed

Comment #4

4 January 2018 at 10:24

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Check user access to the view in access handler

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Parent issue

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community